{ "type": "Domain", "indicator": "bullethost.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bullethost.cloud", "alexa": "http://www.alexa.com/siteinfo/bullethost.cloud", "indicator": "bullethost.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4146348410, "indicator": "bullethost.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "692c9dcbf2f40935038e7d3e", "name": "Supply Chain Attack IOCs - GitHub Pattern 38 + npm MUT-4831 (DugganUSA)", "description": "Supply chain attacks via package repos and issue comments. Links to MUT-4831 (npm/Vidar) pulse 6910960e3c6a04215cbdbc63. Pattern 38 GitHub accounts, C2 infrastructure, malware hashes. STIX: analytics.dugganusa.com/api/v1/stix-feed", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T19:40:59.308000", "tags": [ "supply-chain", "github", "npm", "vidar", "stealc", "pattern-38", "mut-4831", "typosquatting", "social-engineering", "dugganusa" ], "references": [ "https://otx.alienvault.com/pulse/6910960e3c6a04215cbdbc63", "https://analytics.dugganusa.com/api/v1/stix-feed", "https://www.dugganusa.com/post/pattern-38-github-supply-chain-attacks-use-stolen-developer-credentials-from-2023-breaches", "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 196, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6910960e3c6a04215cbdbc63", "name": "MUT-4831: Trojanized npm packages deliver Vidar infostealer malware.", "description": "Recent research from Datadog Security has revealed a campaign attributed to a threat actor cluster named MUT-4831, involving 17 npm packages (totalling 23 releases) that harbor downloader malware. These packages disguise themselves as legitimate SDKs, which provide actual functionality while simultaneously executing a postinstall script that deploys the Vidar infostealer malware on Windows systems. This marks the first known incident of Vidar malware distributed via npm packages.\n\nThe npm registry has increasingly become a target for significant package takeovers, enabling threat actors to use it as an effective vehicle for delivering malware. Although measures to counteract these abuses are being put in place, it is expected that such exploitation of the npm ecosystem will continue.", "modified": "2025-11-09T13:24:30.457000", "created": "2025-11-09T13:24:30.457000", "tags": [ "vidar c2", "zip file", "download link", "mut4831", "mut4831 vidar", "vidar malware", "telegram", "guarddog", "zip archive", "steam", "vidar", "powershell", "mut-4831" ], "references": [ "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MUT-4831", "display_name": "MUT-4831", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 1, "hostname": 15, "email": 2 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "205 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d06035f8d935f1a145c3b", "name": "MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs", "description": "The latest in a series of articles on emerging threats and vulnerabilities in the open source package registry, compiled by security researchers Datadog Security Research and the security firm GuardDog, on this page.", "modified": "2025-11-06T20:33:07.694000", "created": "2025-11-06T20:33:07.694000", "tags": [ "vidar c2", "zip file", "download link", "mut4831", "mut4831 vidar", "vidar malware", "telegram", "guarddog", "zip archive", "steam", "vidar", "powershell", "mut-4831" ], "references": [ "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/", "https://www.virustotal.com/graph/embed/g7756f7dc2a4a480ca2d779c6a2c7a9f8d30ac359bc0f458fa476e55021202220?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MUT-4831", "display_name": "MUT-4831", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 1, "hostname": 15 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "207 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed", "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/", "https://otx.alienvault.com/pulse/6910960e3c6a04215cbdbc63", "https://www.dugganusa.com/post/pattern-38-github-supply-chain-attacks-use-stolen-developer-credentials-from-2023-breaches", "https://www.virustotal.com/graph/embed/g7756f7dc2a4a480ca2d779c6a2c7a9f8d30ac359bc0f458fa476e55021202220?theme=light" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu" ], "malware_families": [ "Mut-4831", "Rhadamanthys", "Stealc", "Vidar" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "692c9dcbf2f40935038e7d3e", "name": "Supply Chain Attack IOCs - GitHub Pattern 38 + npm MUT-4831 (DugganUSA)", "description": "Supply chain attacks via package repos and issue comments. Links to MUT-4831 (npm/Vidar) pulse 6910960e3c6a04215cbdbc63. Pattern 38 GitHub accounts, C2 infrastructure, malware hashes. STIX: analytics.dugganusa.com/api/v1/stix-feed", "modified": "2025-12-30T19:04:40.430000", "created": "2025-11-30T19:40:59.308000", "tags": [ "supply-chain", "github", "npm", "vidar", "stealc", "pattern-38", "mut-4831", "typosquatting", "social-engineering", "dugganusa" ], "references": [ "https://otx.alienvault.com/pulse/6910960e3c6a04215cbdbc63", "https://analytics.dugganusa.com/api/v1/stix-feed", "https://www.dugganusa.com/post/pattern-38-github-supply-chain-attacks-use-stolen-developer-credentials-from-2023-breaches", "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 196, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6910960e3c6a04215cbdbc63", "name": "MUT-4831: Trojanized npm packages deliver Vidar infostealer malware.", "description": "Recent research from Datadog Security has revealed a campaign attributed to a threat actor cluster named MUT-4831, involving 17 npm packages (totalling 23 releases) that harbor downloader malware. These packages disguise themselves as legitimate SDKs, which provide actual functionality while simultaneously executing a postinstall script that deploys the Vidar infostealer malware on Windows systems. This marks the first known incident of Vidar malware distributed via npm packages.\n\nThe npm registry has increasingly become a target for significant package takeovers, enabling threat actors to use it as an effective vehicle for delivering malware. Although measures to counteract these abuses are being put in place, it is expected that such exploitation of the npm ecosystem will continue.", "modified": "2025-11-09T13:24:30.457000", "created": "2025-11-09T13:24:30.457000", "tags": [ "vidar c2", "zip file", "download link", "mut4831", "mut4831 vidar", "vidar malware", "telegram", "guarddog", "zip archive", "steam", "vidar", "powershell", "mut-4831" ], "references": [ "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MUT-4831", "display_name": "MUT-4831", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 1, "hostname": 15, "email": 2 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "205 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690d06035f8d935f1a145c3b", "name": "MUT-4831: Trojanized npm packages deliver Vidar infostealer malware | Datadog Security Labs", "description": "The latest in a series of articles on emerging threats and vulnerabilities in the open source package registry, compiled by security researchers Datadog Security Research and the security firm GuardDog, on this page.", "modified": "2025-11-06T20:33:07.694000", "created": "2025-11-06T20:33:07.694000", "tags": [ "vidar c2", "zip file", "download link", "mut4831", "mut4831 vidar", "vidar malware", "telegram", "guarddog", "zip archive", "steam", "vidar", "powershell", "mut-4831" ], "references": [ "https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/", "https://www.virustotal.com/graph/embed/g7756f7dc2a4a480ca2d779c6a2c7a9f8d30ac359bc0f458fa476e55021202220?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MUT-4831", "display_name": "MUT-4831", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 1, "hostname": 15 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "207 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bullethost.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bullethost.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780407096.8396502 }