{ "type": "Domain", "indicator": "captcha-cdn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/captcha-cdn.com", "alexa": "http://www.alexa.com/siteinfo/captcha-cdn.com", "indicator": "captcha-cdn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4054637943, "indicator": "captcha-cdn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68f130fe56a14a2de8f391b4", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:02.346000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386911, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690849bd041ea4f9df398443", "name": "Threat Intel Report-W44-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2025-12-03T06:04:08.165000", "created": "2025-11-03T06:20:45.583000", "tags": [ "mozi", "clearfake", "urls http", "hashes", "domains", "sha values", "file name", "submit date", "dateadded", "malware url" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 242, "FileHash-MD5": 58, "FileHash-SHA1": 58, "FileHash-SHA256": 121, "domain": 68 }, "indicator_count": 644, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f6d632e968e854294b4c92", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, utilizing innovative methods such as EtherHiding to distribute malware, primarily infostealers. They exploit vulnerable WordPress sites by injecting malicious JavaScript (CLEARSHORT), which subsequently retrieves payloads from attacker-controlled smart contracts, often incorporating social engineering tactics to lure victims. By late 2024, UNC5142 adopted Cloudflare Pages for hosting their landing sites to evade detection, while shifting to AES encryption for payloads, complicating analytical efforts. The group's operational framework has evolved to a complex three-tiered smart contract system, enhancing adaptability and real-time control over malware distribution. Throughout their campaigns, they have deployed various infostealers, showcasing their capability to adjust tactics based on the target operating systems, while demonstrating a commitment to operational continuity even during pauses in activity.", "modified": "2025-11-20T00:02:20.508000", "created": "2025-10-21T00:39:14.990000", "tags": [ "unc5142", "secondary", "main", "threat defense", "bnb smart", "chain", "main operator", "march", "mandiant", "gtig", "defense", "february", "javascript", "clearfake", "clearshort", "windows", "vidar", "atomic" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UNC5142", "display_name": "UNC5142", "target": null }, { "id": "CLEARFAKE", "display_name": "CLEARFAKE", "target": null }, { "id": "CLEARSHORT", "display_name": "CLEARSHORT", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ATOMIC", "display_name": "ATOMIC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 172, "domain": 57, "hostname": 144 }, "indicator_count": 392, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f6d5e67497c1c99e8498", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, employing innovative techniques to distribute malware, notably infostealers, while leveraging compromised WordPress sites and a novel method known as EtherHiding. EtherHiding consists of utilizing the BNB Smart Chain to obscure malicious components and control operations via smart contracts. Attacks begin with the exploitation of vulnerable WordPress websites, where malicious JavaScript known as CLEARSHORT is injected. This multistage JavaScript downloader retrieves subsequent payloads through a series of calls to attacker-controlled smart contracts, employing social engineering tactics like ClickFix to entice victims into executing harmful commands.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:57:09.201000", "tags": [ "unc5142 payload", "vidar c2", "c2 checkin", "vidar", "hosting", "unc5142 c2", "level", "iocs sha256", "malware family", "radthief", "atomic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 66, "domain": 55, "hostname": 30 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1badb6d87602adf22364d", "name": "IOC - New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-17T03:41:15.347000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f5b8b0b0feb298c846dd46", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-20T04:21:04.543000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f1bbd524fd440990fb0a62", "name": "URLHaus data - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:09.738000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "ClearFake", "ddos", "gafgyt", "mirai", "sh", "ua-wget", "dropped-by-LummaStealer", "ClickFix", "FakeCaptcha", "hta", "LummaStealer", "ps1", "html", "opendir", "WsgiDAV", "hajime", "bitbucket", "exe", "infostealer", "shadowharvest", "signed", "stealer", "trojan", "Emmenhtal", "lnk", "xml-opendir", "censys", "backdoor", "sshdkit" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 810, "hostname": 10, "domain": 10 }, "indicator_count": 830, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f06bb2a2628e14cdffceae", "name": "Twitter Feed - malwrhunterteam - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:30:58.407000", "tags": [], "references": [ "https://x.com/malwrhunterteam/status/1908051775245991958", "https://x.com/malwrhunterteam/status/1908088318010507521", "https://x.com/malwrhunterteam/status/1908194389379125682", "https://x.com/malwrhunterteam/status/1908195317159166247", "https://x.com/malwrhunterteam/status/1908210612645032160", "https://x.com/malwrhunterteam/status/1908239138240815498", "https://x.com/malwrhunterteam/status/1908242568434888777", "https://x.com/malwrhunterteam/status/1908258300904288529" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 5, "hostname": 2, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://x.com/malwrhunterteam/status/1908194389379125682", "https://x.com/malwrhunterteam/status/1908210612645032160", "https://x.com/malwrhunterteam/status/1908242568434888777", "https://urlhaus.abuse.ch/", "https://x.com/malwrhunterteam/status/1908088318010507521", "https://x.com/malwrhunterteam/status/1908239138240815498", "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware", "https://x.com/malwrhunterteam/status/1908051775245991958", "https://x.com/malwrhunterteam/status/1908258300904288529", "https://x.com/malwrhunterteam/status/1908195317159166247", "https://any.run/malware-trends/", "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/", "https://threatfox.abuse.ch/export/csv/recent/", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [ "UNC5142" ], "malware_families": [ "Radthief", "Lummac.v2", "Atomic", "Vidar" ], "industries": [] }, "other": { "adversary": [ "UNC5142" ], "malware_families": [ "Clearfake", "Clearshort", "Vidar", "Unc5142", "Radthief", "Lummac.v2", "Atomic" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68f130fe56a14a2de8f391b4", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-16T17:53:02.346000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 386911, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690849bd041ea4f9df398443", "name": "Threat Intel Report-W44-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2025-12-03T06:04:08.165000", "created": "2025-11-03T06:20:45.583000", "tags": [ "mozi", "clearfake", "urls http", "hashes", "domains", "sha values", "file name", "submit date", "dateadded", "malware url" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 242, "FileHash-MD5": 58, "FileHash-SHA1": 58, "FileHash-SHA256": 121, "domain": 68 }, "indicator_count": 644, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f6d632e968e854294b4c92", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, utilizing innovative methods such as EtherHiding to distribute malware, primarily infostealers. They exploit vulnerable WordPress sites by injecting malicious JavaScript (CLEARSHORT), which subsequently retrieves payloads from attacker-controlled smart contracts, often incorporating social engineering tactics to lure victims. By late 2024, UNC5142 adopted Cloudflare Pages for hosting their landing sites to evade detection, while shifting to AES encryption for payloads, complicating analytical efforts. The group's operational framework has evolved to a complex three-tiered smart contract system, enhancing adaptability and real-time control over malware distribution. Throughout their campaigns, they have deployed various infostealers, showcasing their capability to adjust tactics based on the target operating systems, while demonstrating a commitment to operational continuity even during pauses in activity.", "modified": "2025-11-20T00:02:20.508000", "created": "2025-10-21T00:39:14.990000", "tags": [ "unc5142", "secondary", "main", "threat defense", "bnb smart", "chain", "main operator", "march", "mandiant", "gtig", "defense", "february", "javascript", "clearfake", "clearshort", "windows", "vidar", "atomic" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "UNC5142", "display_name": "UNC5142", "target": null }, { "id": "CLEARFAKE", "display_name": "CLEARFAKE", "target": null }, { "id": "CLEARSHORT", "display_name": "CLEARSHORT", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ATOMIC", "display_name": "ATOMIC", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 172, "domain": 57, "hostname": 144 }, "indicator_count": 392, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1f6d5e67497c1c99e8498", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware.", "description": "UNC5142 is a financially motivated cyber threat actor that emerged in late 2023, employing innovative techniques to distribute malware, notably infostealers, while leveraging compromised WordPress sites and a novel method known as EtherHiding. EtherHiding consists of utilizing the BNB Smart Chain to obscure malicious components and control operations via smart contracts. Attacks begin with the exploitation of vulnerable WordPress websites, where malicious JavaScript known as CLEARSHORT is injected. This multistage JavaScript downloader retrieves subsequent payloads through a series of calls to attacker-controlled smart contracts, employing social engineering tactics like ClickFix to entice victims into executing harmful commands.", "modified": "2025-11-16T07:01:18.160000", "created": "2025-10-17T07:57:09.201000", "tags": [ "unc5142 payload", "vidar c2", "c2 checkin", "vidar", "hosting", "unc5142 c2", "level", "iocs sha256", "malware family", "radthief", "atomic" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 66, "domain": 55, "hostname": 30 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f1badb6d87602adf22364d", "name": "IOC - New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-17T03:41:15.347000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f5b8b0b0feb298c846dd46", "name": "New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware", "description": "", "modified": "2025-11-15T17:00:02.086000", "created": "2025-10-20T04:21:04.543000", "tags": [ "smart contracts", "blockchain", "cloudflare pages", "bnb smart chain", "atomic", "lummac.v2", "vidar", "infostealers", "radthief", "clearshort", "wordpress", "etherhiding" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware" ], "public": 1, "adversary": "UNC5142", "targeted_countries": [], "malware_families": [ { "id": "ATOMIC", "display_name": "ATOMIC", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "LUMMAC.V2", "display_name": "LUMMAC.V2", "target": null }, { "id": "RADTHIEF", "display_name": "RADTHIEF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "68f130fe56a14a2de8f391b4", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "URL": 67, "domain": 55, "hostname": 30 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f1bbd524fd440990fb0a62", "name": "URLHaus data - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:09.738000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "ClearFake", "ddos", "gafgyt", "mirai", "sh", "ua-wget", "dropped-by-LummaStealer", "ClickFix", "FakeCaptcha", "hta", "LummaStealer", "ps1", "html", "opendir", "WsgiDAV", "hajime", "bitbucket", "exe", "infostealer", "shadowharvest", "signed", "stealer", "trojan", "Emmenhtal", "lnk", "xml-opendir", "censys", "backdoor", "sshdkit" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 810, "hostname": 10, "domain": 10 }, "indicator_count": 830, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f06bb2a2628e14cdffceae", "name": "Twitter Feed - malwrhunterteam - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:30:58.407000", "tags": [], "references": [ "https://x.com/malwrhunterteam/status/1908051775245991958", "https://x.com/malwrhunterteam/status/1908088318010507521", "https://x.com/malwrhunterteam/status/1908194389379125682", "https://x.com/malwrhunterteam/status/1908195317159166247", "https://x.com/malwrhunterteam/status/1908210612645032160", "https://x.com/malwrhunterteam/status/1908239138240815498", "https://x.com/malwrhunterteam/status/1908242568434888777", "https://x.com/malwrhunterteam/status/1908258300904288529" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "URL": 5, "hostname": 2, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "captcha-cdn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "captcha-cdn.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://captcha-cdn.com/verify.sh", "status": "offline", "threat": "malware_download", "date_added": "2025-04-05", "tags": [] }, { "url": "https://captcha-cdn.com/update", "status": "offline", "threat": "malware_download", "date_added": "2025-04-05", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780416412.0454025 }