{ "type": "Domain", "indicator": "bonesolution.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bonesolution.org", "alexa": "http://www.alexa.com/siteinfo/bonesolution.org", "indicator": "bonesolution.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3661709308, "indicator": "bonesolution.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69375583aeea809ad44d73cf", "name": "Investigating Indonesias Gambling Ecosystem: Indicators of National-Level Cyber Operations", "description": "Research has uncovered a substantial state-sponsored cybercrime operation in Indonesia that has been active for over 14 years, significantly revolving around illegal gambling activities. This infrastructure, attributed to a sophisticated Advanced Persistent Threat (APT), operates with remarkable resources typical of state-level actors and consists of over 328,000 domains, including 90,125 hacked domains and 236,433 purchased domains. The campaign employs extensive domain hijacking techniques, primarily targeting organizations and government entities across multiple sectors. Indicators of its operations include the use of TLS-terminating reverse proxies to conceal command and control (C2) traffic and facilitate cookie theft on compromised sites.", "modified": "2025-12-08T22:54:05.801000", "created": "2025-12-08T22:47:31.272000", "tags": [ "indonesia", "wordpress", "ip address", "android", "fqdns", "slack", "facebook", "scribd", "exploit", "envato" ], "references": [ "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America", "Ecuador" ], "malware_families": [ { "id": "Envato", "display_name": "Envato", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Manufacturing", "Transport", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 466892, "hostname": 5011, "FileHash-MD5": 344, "FileHash-SHA1": 342, "FileHash-SHA256": 15639 }, "indicator_count": 488228, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "907 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6477d79099035326786bca6e", "name": "URLHaus data - 31-05-2023", "description": "", "modified": "2023-06-30T23:02:10.939000", "created": "2023-05-31T23:26:08.882000", "tags": [ "elf", "Mozi", "32-bit", "mips", "mirai", "arm", "hajime", "PowerShellDiscordKeyLogger", "BB30", "geofenced", "js", "Qakbot", "USA", "zip", "dll", "Quakbot", "x86-32", "gafgyt", "exe", "Formbook", "opendir", "VoidRAT", "NetSupport", "rat", "32", "sparc", "motorola", "PowerPC", "Loki", "AgentTesla", "cutwail", "rdgn", "shellscript", "Amadey", "dropped-by-PrivateLoader", "RedLineStealer", "brt", "Gozi", "ISFB", "ITA", "ursnif", "Gh0stRAT", "ascii", "Encoded", "encrypted" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 399, "hostname": 7 }, "indicator_count": 1406, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "1023 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64373c40df19df22f727ca78", "name": "URLHaus data - 12-04-2023", "description": "", "modified": "2023-04-12T23:18:24.241000", "created": "2023-04-12T23:18:24.241000", "tags": [ "32-bit", "elf", "mips", "Mozi", "hajime", "mirai", "shellscript", "32", "arm", "sparc", "intel", "PowerPC", "motorola", "renesas", "geofenced", "obama251", "Qakbot", "qbot", "Quakbot", "USA", "wsf", "zip", "dll", "ua-ps", "exe", "921", "BB23", "TR", "njRAT", "dropped-by-PrivateLoader", "encrypted", "RedLine", "AuroraStealer", "pw-2227", "rar", "pw-2022", "pw-space", "pw-2023", "Vidar", "pw-123456789987654321", "opendir", "x86-32", "obama250", "rat", "RemcosRAT", "AgentTesla", "ascii", "Encoded", "1234", "7z", "Password-protected", "xmrig", "dropped-by-amadey", "RedLineStealer", "xworm", "LaplasClipper" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 449, "domain": 427, "hostname": 5 }, "indicator_count": 1881, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "1102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Envato" ], "industries": [ "Healthcare", "Transport", "Manufacturing", "Education", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69375583aeea809ad44d73cf", "name": "Investigating Indonesias Gambling Ecosystem: Indicators of National-Level Cyber Operations", "description": "Research has uncovered a substantial state-sponsored cybercrime operation in Indonesia that has been active for over 14 years, significantly revolving around illegal gambling activities. This infrastructure, attributed to a sophisticated Advanced Persistent Threat (APT), operates with remarkable resources typical of state-level actors and consists of over 328,000 domains, including 90,125 hacked domains and 236,433 purchased domains. The campaign employs extensive domain hijacking techniques, primarily targeting organizations and government entities across multiple sectors. Indicators of its operations include the use of TLS-terminating reverse proxies to conceal command and control (C2) traffic and facilitate cookie theft on compromised sites.", "modified": "2025-12-08T22:54:05.801000", "created": "2025-12-08T22:47:31.272000", "tags": [ "indonesia", "wordpress", "ip address", "android", "fqdns", "slack", "facebook", "scribd", "exploit", "envato" ], "references": [ "https://www.malanta.ai/blog-posts/investigating-indonesias-gambling-ecosystem-indicators-of-national-level-cyber-operations" ], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia", "United States of America", "Ecuador" ], "malware_families": [ { "id": "Envato", "display_name": "Envato", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Manufacturing", "Transport", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 466892, "hostname": 5011, "FileHash-MD5": 344, "FileHash-SHA1": 342, "FileHash-SHA256": 15639 }, "indicator_count": 488228, "is_author": false, "is_subscribing": null, "subscriber_count": 175, "modified_text": "131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "907 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6477d79099035326786bca6e", "name": "URLHaus data - 31-05-2023", "description": "", "modified": "2023-06-30T23:02:10.939000", "created": "2023-05-31T23:26:08.882000", "tags": [ "elf", "Mozi", "32-bit", "mips", "mirai", "arm", "hajime", "PowerShellDiscordKeyLogger", "BB30", "geofenced", "js", "Qakbot", "USA", "zip", "dll", "Quakbot", "x86-32", "gafgyt", "exe", "Formbook", "opendir", "VoidRAT", "NetSupport", "rat", "32", "sparc", "motorola", "PowerPC", "Loki", "AgentTesla", "cutwail", "rdgn", "shellscript", "Amadey", "dropped-by-PrivateLoader", "RedLineStealer", "brt", "Gozi", "ISFB", "ITA", "ursnif", "Gh0stRAT", "ascii", "Encoded", "encrypted" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 399, "hostname": 7 }, "indicator_count": 1406, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "1023 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64373c40df19df22f727ca78", "name": "URLHaus data - 12-04-2023", "description": "", "modified": "2023-04-12T23:18:24.241000", "created": "2023-04-12T23:18:24.241000", "tags": [ "32-bit", "elf", "mips", "Mozi", "hajime", "mirai", "shellscript", "32", "arm", "sparc", "intel", "PowerPC", "motorola", "renesas", "geofenced", "obama251", "Qakbot", "qbot", "Quakbot", "USA", "wsf", "zip", "dll", "ua-ps", "exe", "921", "BB23", "TR", "njRAT", "dropped-by-PrivateLoader", "encrypted", "RedLine", "AuroraStealer", "pw-2227", "rar", "pw-2022", "pw-space", "pw-2023", "Vidar", "pw-123456789987654321", "opendir", "x86-32", "obama250", "rat", "RemcosRAT", "AgentTesla", "ascii", "Encoded", "1234", "7z", "Password-protected", "xmrig", "dropped-by-amadey", "RedLineStealer", "xworm", "LaplasClipper" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 449, "domain": 427, "hostname": 5 }, "indicator_count": 1881, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "1102 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bonesolution.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bonesolution.org", "found": true, "verdict": "malicious", "url_count": 3, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://bonesolution.org/sia/", "status": "offline", "threat": "malware_download", "date_added": "2023-05-31", "tags": [ "BB30", "geofenced", "js", "Qakbot", "Quakbot", "USA", "zip" ] }, { "url": "https://bonesolution.org/int/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-30", "tags": [ "BB30", "geofenced", "js", "Qakbot", "Quakbot", "USA", "zip" ] }, { "url": "https://bonesolution.org/nrp/laborequi.php", "status": "offline", "threat": "malware_download", "date_added": "2023-04-12", "tags": [ "921", "BB23", "geofenced", "Qakbot", "qbot", "Quakbot", "TR", "USA", "wsf", "zip" ] } ], "error": null }, "from_cache": true, "_cached_at": 1776627760.5040028 }