{ "type": "Domain", "indicator": "captcha-app-login.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/captcha-app-login.com", "alexa": "http://www.alexa.com/siteinfo/captcha-app-login.com", "indicator": "captcha-app-login.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4132955101, "indicator": "captcha-app-login.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cf51e03b4d126e60ff61d0", "name": "Malware Filter - Phishing List - 20-09-2025", "description": "", "modified": "2025-09-21T01:16:16.580000", "created": "2025-09-21T01:16:16.580000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 168, "hostname": 353 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "255 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cf51e03b4d126e60ff61d0", "name": "Malware Filter - Phishing List - 20-09-2025", "description": "", "modified": "2025-09-21T01:16:16.580000", "created": "2025-09-21T01:16:16.580000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 168, "hostname": 353 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "255 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "captcha-app-login.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "captcha-app-login.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780519288.919889 }