{ "type": "Domain", "indicator": "browser-storage.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/browser-storage.com", "alexa": "http://www.alexa.com/siteinfo/browser-storage.com", "indicator": "browser-storage.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4034993648, "indicator": "browser-storage.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "68f130fe56a14a2de8f391b4", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:02.346000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386919, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c148f5d64d299fa4a97670", "name": "Your MFA Is No Match for Sneaky2FA", "description": "In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.", "modified": "2025-03-30T05:00:33.922000", "created": "2025-02-28T05:26:13.622000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386923, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690849bd041ea4f9df398443", "name": "Threat Intel Report-W44-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2025-12-03T06:04:08.165000", "created": "2025-11-03T06:20:45.583000", "tags": [ "mozi", "clearfake", "urls http", "hashes", "domains", "sha values", "file name", "submit date", "dateadded", "malware url" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 242, "FileHash-MD5": 58, "FileHash-SHA1": 58, "FileHash-SHA256": 121, "domain": 68 }, "indicator_count": 644, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f6d632e968e854294b4c92", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, utilizing innovative methods such as EtherHiding to distribute malware, primarily infostealers. They exploit vulnerable WordPress sites by injecting malicious JavaScript (CLEARSHORT), which subsequently retrieves payloads from attacker-controlled smart contracts, often incorporating social engineering tactics to lure victims. By late 2024, UNC5142 adopted Cloudflare Pages for hosting their landing sites to evade detection, while shifting to AES encryption for payloads, complicating analytical efforts. The group's operational framework has evolved to a complex three-tiered smart contract system, enhancing adaptability and real-time control over malware distribution. Throughout their campaigns, they have deployed various infostealers, showcasing their capability to adjust tactics based on the target operating systems, while demonstrating a commitment to operational continuity even during pauses in activity.", "modified": "2025-11-20T00:02:20.508000", "created": "2025-10-21T00:39:14.990000", "tags": [ "unc5142", "secondary", "main", "threat defense", "bnb smart", "chain", "main operator", "march", "mandiant", "gtig", "defense", "february", "javascript", "clearfake", "clearshort", "windows", "vidar", "atomic" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UNC5142", "display_name": "UNC5142", "target": null }, { "id": "CLEARFAKE", "display_name": "CLEARFAKE", "target": null }, { "id": "CLEARSHORT", "display_name": "CLEARSHORT", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ATOMIC", "display_name": "ATOMIC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 172, "domain": 57, "hostname": 144 }, "indicator_count": 392, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f6d5e67497c1c99e8498", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, employing innovative techniques to distribute malware, notably infostealers, while leveraging compromised WordPress sites and a novel method known as EtherHiding. EtherHiding consists of utilizing the BNB Smart Chain to obscure malicious components and control operations via smart contracts. Attacks begin with the exploitation of vulnerable WordPress websites, where malicious JavaScript known as CLEARSHORT is injected. This multistage JavaScript downloader retrieves subsequent payloads through a series of calls to attacker-controlled smart contracts, employing social engineering tactics like ClickFix to entice victims into executing harmful commands.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:57:09.201000", "tags": [ "unc5142 payload", "vidar c2", "c2 checkin", "vidar", "hosting", "unc5142 c2", "level", "iocs sha256", "malware family", "radthief", "atomic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 66, "domain": 55, "hostname": 30 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1badb6d87602adf22364d", "name": "IOC - New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-17T03:41:15.347000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f5b8b0b0feb298c846dd46", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-20T04:21:04.543000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67983886e527af342a579", "name": "Your MFA Is No Match for Sneaky2FA", "description": "", "modified": "2025-03-30T05:00:33.922000", "created": "2025-03-04T03:54:43.759000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "67c148f5d64d299fa4a97670", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bde372858d6c9980212ae6", "name": "Fake DeepSeek Site Infects Mac Users with Poseidon Stealer", "description": "Adversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.", "modified": "2025-03-27T15:03:40.001000", "created": "2025-02-25T15:36:18.832000", "tags": [ "path", "button", "span", "link", "script", "template", "amos", "quot", "cfile", "github", "form", "footer", "code", "atomic", "meta", "stealer", "asyncrat", "terminal", "reload", "find", "close", "autoit", "icedid", "lazarus", "venomrat", "webdav", "solarmarker", "exodus", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "media", "main", "contact" ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 14, "URL": 4, "domain": 7, "hostname": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67be07025c65488e51a71760", "name": "Poseidon Stealer Malware Targets Mac Users via Fake DeepSeek Site", "description": "", "modified": "2025-02-25T18:08:02.886000", "created": "2025-02-25T18:08:02.886000", "tags": [ "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 6, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "461 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67be070115984ac3e1cd72b0", "name": "Poseidon Stealer Malware Targets Mac Users via Fake DeepSeek Site", "description": "", "modified": "2025-02-25T18:08:01.914000", "created": "2025-02-25T18:08:01.914000", "tags": [ "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "domain": 6, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "461 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware", "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/", "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer", "https://urlhaus.abuse.ch/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://any.run/malware-trends/", "https://threatfox.abuse.ch/export/csv/recent/" ], "related": { "alienvault": { "adversary": [ "UNC5142" ], "malware_families": [ "Vidar", "Radthief", "Atomic", "Sneaky2fa", "Lummac.v2" ], "industries": [] }, "other": { "adversary": [ "UNC5142" ], "malware_families": [ "Clearshort", "Vidar", "Radthief", "Atomic", "Sneaky2fa", "Lummac.v2", "Clearfake", "Unc5142" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "68f130fe56a14a2de8f391b4", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:02.346000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386919, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c148f5d64d299fa4a97670", "name": "Your MFA Is No Match for Sneaky2FA", "description": "In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.", "modified": "2025-03-30T05:00:33.922000", "created": "2025-02-28T05:26:13.622000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386923, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690849bd041ea4f9df398443", "name": "Threat Intel Report-W44-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2025-12-03T06:04:08.165000", "created": "2025-11-03T06:20:45.583000", "tags": [ "mozi", "clearfake", "urls http", "hashes", "domains", "sha values", "file name", "submit date", "dateadded", "malware url" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 242, "FileHash-MD5": 58, "FileHash-SHA1": 58, "FileHash-SHA256": 121, "domain": 68 }, "indicator_count": 644, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f6d632e968e854294b4c92", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, utilizing innovative methods such as EtherHiding to distribute malware, primarily infostealers. They exploit vulnerable WordPress sites by injecting malicious JavaScript (CLEARSHORT), which subsequently retrieves payloads from attacker-controlled smart contracts, often incorporating social engineering tactics to lure victims. By late 2024, UNC5142 adopted Cloudflare Pages for hosting their landing sites to evade detection, while shifting to AES encryption for payloads, complicating analytical efforts. The group's operational framework has evolved to a complex three-tiered smart contract system, enhancing adaptability and real-time control over malware distribution. Throughout their campaigns, they have deployed various infostealers, showcasing their capability to adjust tactics based on the target operating systems, while demonstrating a commitment to operational continuity even during pauses in activity.", "modified": "2025-11-20T00:02:20.508000", "created": "2025-10-21T00:39:14.990000", "tags": [ "unc5142", "secondary", "main", "threat defense", "bnb smart", "chain", "main operator", "march", "mandiant", "gtig", "defense", "february", "javascript", "clearfake", "clearshort", "windows", "vidar", "atomic" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UNC5142", "display_name": "UNC5142", "target": null }, { "id": "CLEARFAKE", "display_name": "CLEARFAKE", "target": null }, { "id": "CLEARSHORT", "display_name": "CLEARSHORT", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ATOMIC", "display_name": "ATOMIC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 172, "domain": 57, "hostname": 144 }, "indicator_count": 392, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f6d5e67497c1c99e8498", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, employing innovative techniques to distribute malware, notably infostealers, while leveraging compromised WordPress sites and a novel method known as EtherHiding. EtherHiding consists of utilizing the BNB Smart Chain to obscure malicious components and control operations via smart contracts. Attacks begin with the exploitation of vulnerable WordPress websites, where malicious JavaScript known as CLEARSHORT is injected. This multistage JavaScript downloader retrieves subsequent payloads through a series of calls to attacker-controlled smart contracts, employing social engineering tactics like ClickFix to entice victims into executing harmful commands.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:57:09.201000", "tags": [ "unc5142 payload", "vidar c2", "c2 checkin", "vidar", "hosting", "unc5142 c2", "level", "iocs sha256", "malware family", "radthief", "atomic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 66, "domain": 55, "hostname": 30 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1badb6d87602adf22364d", "name": "IOC - New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-17T03:41:15.347000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f5b8b0b0feb298c846dd46", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-20T04:21:04.543000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67983886e527af342a579", "name": "Your MFA Is No Match for Sneaky2FA", "description": "", "modified": "2025-03-30T05:00:33.922000", "created": "2025-03-04T03:54:43.759000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "67c148f5d64d299fa4a97670", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bde372858d6c9980212ae6", "name": "Fake DeepSeek Site Infects Mac Users with Poseidon Stealer", "description": "Adversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.", "modified": "2025-03-27T15:03:40.001000", "created": "2025-02-25T15:36:18.832000", "tags": [ "path", "button", "span", "link", "script", "template", "amos", "quot", "cfile", "github", "form", "footer", "code", "atomic", "meta", "stealer", "asyncrat", "terminal", "reload", "find", "close", "autoit", "icedid", "lazarus", "venomrat", "webdav", "solarmarker", "exodus", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "media", "main", "contact" ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 14, "URL": 4, "domain": 7, "hostname": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "browser-storage.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "browser-storage.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780419073.2387078 }