{ "type": "Domain", "indicator": "canvadreamlab.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/canvadreamlab.com", "alexa": "http://www.alexa.com/siteinfo/canvadreamlab.com", "indicator": "canvadreamlab.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4036319301, "indicator": "canvadreamlab.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-05-30T07:58:43.913000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 169153, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156498, "domain": 371707 }, "indicator_count": 528205, "is_author": false, "is_subscribing": null, "subscriber_count": 474, "modified_text": "21 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "366 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites", "Emmenhtal.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Figure" ], "malware_families": [ "Frostrift", "Xworm", "Threat intelligence", "Grimpull", "Starkveil" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-05-30T07:58:43.913000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 169153, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 156498, "domain": 371707 }, "indicator_count": 528205, "is_author": false, "is_subscribing": null, "subscriber_count": 474, "modified_text": "21 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "366 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "canvadreamlab.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "canvadreamlab.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205794.3018014 }