{ "type": "Domain", "indicator": "builsf.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/builsf.com", "alexa": "http://www.alexa.com/siteinfo/builsf.com", "indicator": "builsf.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4059934214, "indicator": "builsf.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44154, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 377493, "modified_text": "196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6809f295fb213f24e9df9228", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.", "modified": "2025-04-24T13:19:00.842000", "created": "2025-04-24T08:13:09.551000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 377497, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f8bda6a2aab67254ff9c2", "name": "Lazarus APT updates its toolset in watering hole attacks | Securelist", "description": "Security firm Kaspersky says it has identified and identified the malicious tools used by the Russian cyber-attack group, Lazarus, in a series of attacks targeting South Korean companies and government institutions over the past year.", "modified": "2025-05-28T00:01:41.760000", "created": "2025-04-28T14:08:26.641000", "tags": [ "apt", "infrastructure", "lazarus", "malware", "malware descriptions", "malware technologies", "mitre att&ck", "supply-chain attack", "targeted attacks", "vulnerabilities and exploits", "watering hole attacks", "zero-day vulnerabilities", "lazarus group", "south korea", "signbt", "threatneedle", "innorix agent", "cross ex", "c2 server", "krcert", "lpeclient", "copperhedge", "february", "gate", "loader", "core", "hell", "mysterysnail", "ironhusky", "wagent", "agamemnon" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null }, { "id": "ThreatNeedle", "display_name": "ThreatNeedle", "target": null }, { "id": "Agamemnon", "display_name": "Agamemnon", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 12, "domain": 5, "hostname": 4 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bc79ac1cf9155fe34c4e", "name": "Lazarus Group\u2019s \u201cOperation SyncHole\u201d Targeting Critical Industries", "description": "As part of a series of articles on cyber-security, we take a look at some of the key quotes from people who have contributed to this year's \u00c2\u00a31.3bn ransomware attack.", "modified": "2025-05-02T12:37:13.078000", "created": "2025-05-02T12:37:13.078000", "tags": [ "update", "siem", "iocs", "keep anti", "virus endpoint", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 5, "hostname": 18 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6810617b4bcd0b1c76d88670", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "", "modified": "2025-04-29T05:19:55.329000", "created": "2025-04-29T05:19:55.329000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": "6809f295fb213f24e9df9228", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "355 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/", "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "related": { "alienvault": { "adversary": [ "Contagious Interview", "Lazarus" ], "malware_families": [ "Threatneedle - s0665", "Agamemnon downloader", "Signbt", "Wagent", "Copperhedge" ], "industries": [ "Telecommunications", "Technology", "Finance", "Manufacturing" ] }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Threatneedle - s0665", "Agamemnon downloader", "Signbt", "Threatneedle", "Wagent", "Copperhedge", "Agamemnon" ], "industries": [ "Telecommunications", "Technology", "Finance", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44154, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 377493, "modified_text": "196 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6809f295fb213f24e9df9228", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.", "modified": "2025-04-24T13:19:00.842000", "created": "2025-04-24T08:13:09.551000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 377497, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f8bda6a2aab67254ff9c2", "name": "Lazarus APT updates its toolset in watering hole attacks | Securelist", "description": "Security firm Kaspersky says it has identified and identified the malicious tools used by the Russian cyber-attack group, Lazarus, in a series of attacks targeting South Korean companies and government institutions over the past year.", "modified": "2025-05-28T00:01:41.760000", "created": "2025-04-28T14:08:26.641000", "tags": [ "apt", "infrastructure", "lazarus", "malware", "malware descriptions", "malware technologies", "mitre att&ck", "supply-chain attack", "targeted attacks", "vulnerabilities and exploits", "watering hole attacks", "zero-day vulnerabilities", "lazarus group", "south korea", "signbt", "threatneedle", "innorix agent", "cross ex", "c2 server", "krcert", "lpeclient", "copperhedge", "february", "gate", "loader", "core", "hell", "mysterysnail", "ironhusky", "wagent", "agamemnon" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null }, { "id": "ThreatNeedle", "display_name": "ThreatNeedle", "target": null }, { "id": "Agamemnon", "display_name": "Agamemnon", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 12, "domain": 5, "hostname": 4 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6814bc79ac1cf9155fe34c4e", "name": "Lazarus Group\u2019s \u201cOperation SyncHole\u201d Targeting Critical Industries", "description": "As part of a series of articles on cyber-security, we take a look at some of the key quotes from people who have contributed to this year's \u00c2\u00a31.3bn ransomware attack.", "modified": "2025-05-02T12:37:13.078000", "created": "2025-05-02T12:37:13.078000", "tags": [ "update", "siem", "iocs", "keep anti", "virus endpoint", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 5, "hostname": 18 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6810617b4bcd0b1c76d88670", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "", "modified": "2025-04-29T05:19:55.329000", "created": "2025-04-29T05:19:55.329000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": "6809f295fb213f24e9df9228", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "355 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "builsf.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "builsf.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776599147.0498486 }