{ "type": "Domain", "indicator": "camplytic.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/camplytic.com", "alexa": "http://www.alexa.com/siteinfo/camplytic.com", "indicator": "camplytic.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4013301459, "indicator": "camplytic.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6823a6cd176318a7795d1ed1", "name": "Lumma Stealer: Persistent Threat Targeting Sensitive Information", "description": "The Lumma Stealer, active since mid-2022, continues to pose a significant threat by targeting users' passwords, session tokens, and other sensitive data. Sophos Managed Detection and Response (MDR) has identified its ongoing activity, highlighting its use of obfuscated files, signed binary proxy execution, and boot or logon autostart techniques.", "modified": "2025-05-13T20:09:00.616000", "created": "2025-05-13T20:08:45.826000", "tags": [ "figure", "lumma stealer", "unixepoch", "captcha", "proxycommand", "method", "like", "iocs", "command", "fixedzip", "powershell", "next", "path", "mdr", "lumma" ], "references": [ "https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/" ], "public": 1, "adversary": "MDR", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67605e1014eb611bf6c3ea80", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Guardio Labs reported on a large-scale fake captcha campaign distributing Lumma Stealer that circumvents general security measures like Safe Browsing. The campaign relies entirely on a single ad network for propagation (malvertising), Monetag, a subsidiary of ProepllerAds previously tracked by Infoblox under the name \u201cVane Viper.\u201d These ads, leveraging BeMob for tracking, receive over 1 million daily \u201cimpressions,\u201d potentially causing thousands of daily infections of Lumma Stealer\u00a0through a network of\u00a03,000+\u00a0sites using Monetag scripts. The research dissects this campaign and provides insights into the malvertising industry\u2019s infrastructure, tactics, and key players.", "modified": "2024-12-16T17:06:24.698000", "created": "2024-12-16T17:06:24.698000", "tags": [ "Malvertising", "Lumma Stealer", "BeMob Ad Tracking" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676049d097dee16008d10a76", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Research by Guardio Labs sheds light on the dark side of the internet advertising industry, revealing how malvertising on steroids is thriving and how web users are vulnerable to the threat of cyber-thieves.", "modified": "2024-12-16T15:40:00.031000", "created": "2024-12-16T15:40:00.031000", "tags": [ "monetag", "bemob", "infoblox", "facebook", "guardio labs", "powershell", "system", "javascript", "js snippet", "service", "download", "example", "rest", "captcha lumma", "monetag tds" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Captcha Lumma", "display_name": "Captcha Lumma", "target": null }, { "id": "Monetag TDS", "display_name": "Monetag TDS", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "533 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/", "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "MDR" ], "malware_families": [ "Lumma stealer", "Monetag tds", "Captcha lumma", "Lumma" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6823a6cd176318a7795d1ed1", "name": "Lumma Stealer: Persistent Threat Targeting Sensitive Information", "description": "The Lumma Stealer, active since mid-2022, continues to pose a significant threat by targeting users' passwords, session tokens, and other sensitive data. Sophos Managed Detection and Response (MDR) has identified its ongoing activity, highlighting its use of obfuscated files, signed binary proxy execution, and boot or logon autostart techniques.", "modified": "2025-05-13T20:09:00.616000", "created": "2025-05-13T20:08:45.826000", "tags": [ "figure", "lumma stealer", "unixepoch", "captcha", "proxycommand", "method", "like", "iocs", "command", "fixedzip", "powershell", "next", "path", "mdr", "lumma" ], "references": [ "https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/" ], "public": 1, "adversary": "MDR", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67605e1014eb611bf6c3ea80", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Guardio Labs reported on a large-scale fake captcha campaign distributing Lumma Stealer that circumvents general security measures like Safe Browsing. The campaign relies entirely on a single ad network for propagation (malvertising), Monetag, a subsidiary of ProepllerAds previously tracked by Infoblox under the name \u201cVane Viper.\u201d These ads, leveraging BeMob for tracking, receive over 1 million daily \u201cimpressions,\u201d potentially causing thousands of daily infections of Lumma Stealer\u00a0through a network of\u00a03,000+\u00a0sites using Monetag scripts. The research dissects this campaign and provides insights into the malvertising industry\u2019s infrastructure, tactics, and key players.", "modified": "2024-12-16T17:06:24.698000", "created": "2024-12-16T17:06:24.698000", "tags": [ "Malvertising", "Lumma Stealer", "BeMob Ad Tracking" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676049d097dee16008d10a76", "name": "\u201cDeceptionAds\u201d \u2014 Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising", "description": "Research by Guardio Labs sheds light on the dark side of the internet advertising industry, revealing how malvertising on steroids is thriving and how web users are vulnerable to the threat of cyber-thieves.", "modified": "2024-12-16T15:40:00.031000", "created": "2024-12-16T15:40:00.031000", "tags": [ "monetag", "bemob", "infoblox", "facebook", "guardio labs", "powershell", "system", "javascript", "js snippet", "service", "download", "example", "rest", "captcha lumma", "monetag tds" ], "references": [ "https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Captcha Lumma", "display_name": "Captcha Lumma", "target": null }, { "id": "Monetag TDS", "display_name": "Monetag TDS", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 92, "URL": 94, "FileHash-MD5": 1, "hostname": 4 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "533 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "camplytic.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "camplytic.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780475221.9701264 }