{ "type": "Domain", "indicator": "ccwaterfall.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ccwaterfall.com", "alexa": "http://www.alexa.com/siteinfo/ccwaterfall.com", "indicator": "ccwaterfall.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3896332708, "indicator": "ccwaterfall.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "66570d81f33fb87a9a553fec", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks", "description": "Microsoft has identified Moonstone Sleet, a new North Korean threat actor that employs various tactics, including creating fake companies, distributing trojanized legitimate tools, developing a malicious game, and deploying custom ransomware. This actor combines methods used by other North Korean groups and unique attack methodologies. Initially overlapping with Diamond Sleet, Moonstone Sleet has since established itself as a distinct, well-resourced threat actor targeting companies for financial gain and cyberespionage.\nTags: North Korea, ransomware, trojanized software, fake companies, malicious game", "modified": "2024-05-29T11:12:00.187000", "created": "2024-05-29T11:12:00.187000", "tags": [ "Moonstone Sleet", "ransomware", "North Korea", "fake companies" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "FakePenny", "display_name": "FakePenny", "target": null }, { "id": "SplitLoader", "display_name": "SplitLoader", "target": null }, { "id": "YouieLoad", "display_name": "YouieLoad", "target": null }, { "id": "ComeBacker", "display_name": "ComeBacker", "target": null }, { "id": "DeTankWar", "display_name": "DeTankWar", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Aerospace", "Defense", "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 9, "domain": 11 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386565, "modified_text": "732 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6721e15c235768ae4d6743f1", "name": "Lazarus APT steals cryptocurrency and user data via a decoy MOBA game | Securelist", "description": "A look at Kaspersky\u2019s research into a zero-day attack carried out by the Lazarus APT cyber-espionage group, which is believed to be targeting governments, businesses and universities.", "modified": "2024-10-30T07:33:48.335000", "created": "2024-10-30T07:33:48.335000", "tags": [ "apt", "bluenoroff", "google chrome", "javascript", "lazarus", "microsoft", "online games", "vulnerabilities and exploits", "zero-day vulnerabilities", "google", "propertyarray", "registerscount", "maglev", "bytecode", "cve20244947", "chrome process", "overwrite", "manuscrypt", "february", "code", "twitter", "malicious", "service" ], "references": [ "https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Russian Federation", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "PropertyArray", "display_name": "PropertyArray", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "578 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719fbdd6d9f5fe7bb587df8", "name": "Lazarus APT steals cryptocurrency and user data via a decoy MOBA game | Securelist", "description": "", "modified": "2024-10-24T07:48:45.634000", "created": "2024-10-24T07:48:45.634000", "tags": [ "apt", "bluenoroff", "google chrome", "javascript", "lazarus", "microsoft", "online games", "vulnerabilities and exploits", "zero-day vulnerabilities", "google", "propertyarray", "registerscount", "maglev", "bytecode", "cve20244947", "chrome process", "overwrite", "manuscrypt", "february", "code", "twitter", "malicious", "service" ], "references": [ "https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "584 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719a67384e1b46552aacc2c", "name": "Fake Cryptocurrency Game Campaign Used to Exploit Chrome Zero Day", "description": "", "modified": "2024-10-24T01:44:19.097000", "created": "2024-10-24T01:44:19.097000", "tags": [ "hashes", "sha256", "cyber threat", "october", "time", "crypto cyber", "defence", "classification", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "584 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665664b349ed7a80ef42ae33", "name": "URLHaus data - 28-05-2024", "description": "", "modified": "2024-06-27T23:01:59.474000", "created": "2024-05-28T23:11:47.086000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "dropped-by-SmokeLoader", "Formbook", "dropped-by-PrivateLoader", "encrypted", "APT", "Moonstone_sleet", "North-Korean", "Ransomware", "hajime", "hacktool", "portscan", "SocGholish", "RedLineStealer", "libprocesshider", "trojan", "trojan.sagnt", "botnetdomain", "AgentTesla", "GuLoader", "ascii", "Encoded", "rat", "RemcosRAT", "powershell", "ps1", "shellscript", "32", "sparc", "bulletproof", "rats", "AsyncRAT", "malware", "png", ".txt", "script", "mp4", "ua-wget", "vbs-dropper", "spy.python", "stealer", "exe", "mimikatz", "bashlite", "gafgyt", "motorola", "LummaStealer", "backdoor", "msi", "rekoobe", "VenomRAT", "PureLogStealer", "purlogstealer", "boxter", "cmd", "vbs", "trojan.acll", "celestybinder", "boogr", "Generic", "SystemBC", "Loki", "moobot", "mp3", "msil" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 12, "domain": 7 }, "indicator_count": 1019, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66603179a3b3bcd02041b577", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks", "description": "", "modified": "2024-06-05T09:35:53.995000", "created": "2024-06-05T09:35:53.995000", "tags": [ "Moonstone Sleet", "ransomware", "North Korea", "fake companies" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "Moonstone Sleet", "targeted_countries": [], "malware_families": [ { "id": "FakePenny", "display_name": "FakePenny", "target": null }, { "id": "SplitLoader", "display_name": "SplitLoader", "target": null }, { "id": "YouieLoad", "display_name": "YouieLoad", "target": null }, { "id": "ComeBacker", "display_name": "ComeBacker", "target": null }, { "id": "DeTankWar", "display_name": "DeTankWar", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Aerospace", "Defense", "Education", "Technology" ], "TLP": "white", "cloned_from": "665d4e5d7ff800c43702bb6e", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 11 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "725 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665d4e5d7ff800c43702bb6e", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks", "description": "", "modified": "2024-06-05T09:35:21.596000", "created": "2024-06-03T05:02:21.526000", "tags": [ "Moonstone Sleet", "ransomware", "North Korea", "fake companies" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "Moonstone Sleet", "targeted_countries": [], "malware_families": [ { "id": "FakePenny", "display_name": "FakePenny", "target": null }, { "id": "SplitLoader", "display_name": "SplitLoader", "target": null }, { "id": "YouieLoad", "display_name": "YouieLoad", "target": null }, { "id": "ComeBacker", "display_name": "ComeBacker", "target": null }, { "id": "DeTankWar", "display_name": "DeTankWar", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Aerospace", "Defense", "Education", "Technology" ], "TLP": "white", "cloned_from": "66570d81f33fb87a9a553fec", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 11 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "725 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66581afd12deb43c9366f713", "name": "A New Korean Threat Actor with New Tricks Named \u201cMoonstone Sleet\u201d Identified", "description": "Hashes (SHA256) are the most common type of encryption, according to a study by the University of California, San Francisco, and the International Institute for the Study of the Large Hadron Collider.", "modified": "2024-05-30T06:21:49.549000", "created": "2024-05-30T06:21:49.549000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "domain": 11 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "731 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6658160cb663faffeb3911c7", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog", "description": "A look back at the latest Microsoft security updates, as well as the best examples of how to find out what to do with your own security systems and what is your favourite security tool, or what might you like to check out.", "modified": "2024-05-30T06:00:44.654000", "created": "2024-05-30T06:00:44.654000", "tags": [ "moonstone sleet", "microsoft", "diamond sleet", "putty", "splitloader", "youieload", "north korea", "devicename", "linkedin", "fakepenny", "twitter", "april", "february", "hacktool", "mimikatz", "comebacker", "august", "trojan", "lsass", "notpetya", "wannacry", "trojandropper", "defender", "sentinel", "service", "procdump", "waterfall", "h0lygh0st" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "Waterfall", "targeted_countries": [], "malware_families": [ { "id": "NotPetya", "display_name": "NotPetya", "target": null }, { "id": "North Korea", "display_name": "North Korea", "target": null }, { "id": "FakePenny", "display_name": "FakePenny", "target": null }, { "id": "H0lyGh0st", "display_name": "H0lyGh0st", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [ "Education", "Media", "Information Technology", "Defense", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 1, "domain": 12 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "731 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6656f4357b653d4e59615fd6", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog", "description": "", "modified": "2024-05-29T09:24:05.994000", "created": "2024-05-29T09:24:05.994000", "tags": [ "moonstone sleet", "microsoft", "diamond sleet", "putty", "splitloader", "youieload", "north korea", "devicename", "linkedin", "fakepenny", "twitter", "april", "february", "hacktool", "mimikatz", "comebacker", "august", "trojan", "lsass", "notpetya", "wannacry", "trojandropper", "defender", "sentinel", "service", "procdump" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 9, "URL": 1, "domain": 12 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "732 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/", "https://labs.inquest.net/iocdb", "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Youieload", "Detankwar", "Comebacker", "Splitloader", "Fakepenny" ], "industries": [ "Defense", "Aerospace", "Education", "Technology" ] }, "other": { "adversary": [ "Lazarus", "Waterfall", "Moonstone Sleet" ], "malware_families": [ "Propertyarray", "Notpetya", "Youieload", "H0lygh0st", "Detankwar", "Comebacker", "North korea", "Splitloader", "Fakepenny" ], "industries": [ "Aerospace", "Media", "Defense", "Industrial", "Information technology", "Crypto", "Technology", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "66570d81f33fb87a9a553fec", "name": "Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks", "description": "Microsoft has identified Moonstone Sleet, a new North Korean threat actor that employs various tactics, including creating fake companies, distributing trojanized legitimate tools, developing a malicious game, and deploying custom ransomware. This actor combines methods used by other North Korean groups and unique attack methodologies. Initially overlapping with Diamond Sleet, Moonstone Sleet has since established itself as a distinct, well-resourced threat actor targeting companies for financial gain and cyberespionage.\nTags: North Korea, ransomware, trojanized software, fake companies, malicious game", "modified": "2024-05-29T11:12:00.187000", "created": "2024-05-29T11:12:00.187000", "tags": [ "Moonstone Sleet", "ransomware", "North Korea", "fake companies" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "FakePenny", "display_name": "FakePenny", "target": null }, { "id": "SplitLoader", "display_name": "SplitLoader", "target": null }, { "id": "YouieLoad", "display_name": "YouieLoad", "target": null }, { "id": "ComeBacker", "display_name": "ComeBacker", "target": null }, { "id": "DeTankWar", "display_name": "DeTankWar", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Aerospace", "Defense", "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 9, "domain": 11 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386565, "modified_text": "732 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ccwaterfall.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ccwaterfall.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://ccwaterfall.com/products/reader.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-05-28", "tags": [ "APT", "Moonstone_sleet", "North-Korean", "Ransomware" ] }, { "url": "https://ccwaterfall.com/products/putty.zip", "status": "offline", "threat": "malware_download", "date_added": "2024-05-28", "tags": [ "APT", "Moonstone_sleet", "North-Korean", "Ransomware" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780255711.7555916 }