{ "type": "Domain", "indicator": "calbbs.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/calbbs.com", "alexa": "http://www.alexa.com/siteinfo/calbbs.com", "indicator": "calbbs.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3160735160, "indicator": "calbbs.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6864afd879d7f788ade1a404", "name": "Silent Push to find LandUpdate808 - Malasada Tech", "description": "LandUpdate808 indicators.", "modified": "2025-08-01T04:04:31.097000", "created": "2025-07-02T04:04:40.981000", "tags": [ "landupdate808" ], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "export_2024-12-21_162303-silent-push-domain-search-landupdate808.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 32 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a3b3a352d7c910fa5f4f96", "name": "The Evolving Threat of TAG-124", "description": "All photographs courtesy of AP, AFP, EPA, Getty Images, Reuters and Reuters/ GettyImages. (All images are copyrighted).. \u00c2\u00a31.5m.. and", "modified": "2025-03-07T18:02:24.372000", "created": "2025-02-05T18:53:23.378000", "tags": [], "references": [ "adv11.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28, "domain": 82, "hostname": 2 }, "indicator_count": 168, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678c4c904afe925831e7063e", "name": "KongTuke LandUpdate808", "description": "", "modified": "2025-02-18T04:02:02.633000", "created": "2025-01-19T00:51:28.552000", "tags": [ "KongTuke", "LandUpdate808" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 2 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "export_2024-12-21_162303-silent-push-domain-search-landupdate808.csv", "https://connect.cybercx.com.au/dark-engine", "adv11.txt", "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf", "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "TAG-124", "Insikt" ], "malware_families": [ "Insikt", "Interlock", "Socgholish", "Remcos", "Rhysida" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6864afd879d7f788ade1a404", "name": "Silent Push to find LandUpdate808 - Malasada Tech", "description": "LandUpdate808 indicators.", "modified": "2025-08-01T04:04:31.097000", "created": "2025-07-02T04:04:40.981000", "tags": [ "landupdate808" ], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "export_2024-12-21_162303-silent-push-domain-search-landupdate808.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 32 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6846ac4df84821ab290af471", "name": "DarkEngine: Unmasking the Sophisticated WordPress Phishing Campaign", "description": "CyberCX has discovered a sophisticated phishing campaign named DarkEngine, which targets users of WP Engine, a managed WordPress hosting platform, and has been active since at least June 2024. The campaign employs SEO poisoning to lure victims to phishing sites mimicking the WP Engine login interface, enabling attackers to steal credentials and gain unauthorized access to WP Engine accounts and their associated WordPress sites. Once compromised, the attackers inject backdoors via malicious plugins and execute harmful JavaScript, affecting over 2,353 unique sites primarily in Australia and New Zealand, while also utilizing techniques like ClickFix to manipulate visitors into executing harmful commands. The operation employs a headless browser automation tool for exploitation, maintaining persistence through various backdoors and SFTP accounts..", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:41:33.230000", "tags": [ "injected link", "providers", "injected links", "solutions llp", "bl networks", "limited", "fornex hosting", "cgi global", "smartape ou", "proton66 ooo", "red bytes", "cloudflare", "llc bl", "networks", "prospero ooo", "cybercx", "public" ], "references": [ "https://connect.cybercx.com.au/dark-engine" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 55 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68445797edce3aedea6c7835", "name": "CyberCX & WP Engine Expose Active Exploits: Cloud, Ransomware, and Supply Chain Threats.", "description": "CyberCX and WP Engine\u2019s latest report reveals active cyber threats targeting cloud environments, ransomware operations, and software supply chains. Key findings include:\u2022Exploited Cloud Vulnerabilities: Attackers abusing misconfigurations in AWS, Azure, and SaaS platforms for initial access.\u2022Ransomware-as-a-Service (RaaS) Expansion: New affiliate tactics leading to faster encryption and double extortion.\u2022Software Supply Chain Compromises: Malicious code injections in third-party vendor updates, enabling silent backdoors.", "modified": "2025-07-07T15:00:14.692000", "created": "2025-06-07T15:15:35.855000", "tags": [], "references": [ "https://storage.pardot.com/1069042/1748905703CCn8f7sn/CyberCX___WP_Engine_Report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 56, "hostname": 1 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a3b3a352d7c910fa5f4f96", "name": "The Evolving Threat of TAG-124", "description": "All photographs courtesy of AP, AFP, EPA, Getty Images, Reuters and Reuters/ GettyImages. (All images are copyrighted).. \u00c2\u00a31.5m.. and", "modified": "2025-03-07T18:02:24.372000", "created": "2025-02-05T18:53:23.378000", "tags": [], "references": [ "adv11.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28, "domain": 82, "hostname": 2 }, "indicator_count": 168, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678c4c904afe925831e7063e", "name": "KongTuke LandUpdate808", "description": "", "modified": "2025-02-18T04:02:02.633000", "created": "2025-01-19T00:51:28.552000", "tags": [ "KongTuke", "LandUpdate808" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 2 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "calbbs.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "calbbs.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780355196.7237163 }