{ "type": "Domain", "indicator": "cdn-analytics.co", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cdn-analytics.co", "alexa": "http://www.alexa.com/siteinfo/cdn-analytics.co", "indicator": "cdn-analytics.co", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3781297536, "indicator": "cdn-analytics.co", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6567d40354a0a84f48a88c93", "name": "InQuest - 29-11-2023", "description": "", "modified": "2023-12-30T00:04:57.002000", "created": "2023-11-30T00:14:59.150000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "hostname": 101, "URL": 436, "FileHash-SHA256": 46, "domain": 55, "FileHash-SHA1": 8 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6566f9f1ee1955c1f7ebaa06", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-29T08:03:05.031000", "created": "2023-11-29T08:44:33.833000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef086bb01eb6f30b8597", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:36.624000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef09a21dc287daf71a1d", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:37.702000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65699d274c86d8025b6b5938", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-01T08:45:27.066000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "654eef09a21dc287daf71a1d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a96c4f39ec3cdc99278cb", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-02T02:30:28.464000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "65699d274c86d8025b6b5938", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e13c913bc37ad98c7c931", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-10T11:01:15.222000", "created": "2023-11-10T11:28:09.076000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e18affed10c7873a5db4b", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-10T11:01:15.222000", "created": "2023-11-10T11:49:03.271000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654ded1db0806b3973a49cd3", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "", "modified": "2023-12-10T08:04:00.194000", "created": "2023-11-10T08:43:09.784000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/", "https://labs.inquest.net/iocdb", "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "IOCs.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "Imperial Kitten", "Deploys Novel" ], "malware_families": [ "Imaploader", "Candiru", "Karkadann", "Python", "Android", "Kamran" ], "industries": [ "Tech", "Government", "Medical", "Media", "Consulting", "Telecommunications", "Electricity", "Aerospace", "Finance", "Defense", "Energy", "Foreign affairs", "Maritime", "Transportation", "Technology", "Embassy", "Logistics" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6567d40354a0a84f48a88c93", "name": "InQuest - 29-11-2023", "description": "", "modified": "2023-12-30T00:04:57.002000", "created": "2023-11-30T00:14:59.150000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "hostname": 101, "URL": 436, "FileHash-SHA256": 46, "domain": 55, "FileHash-SHA1": 8 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6566f9f1ee1955c1f7ebaa06", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-29T08:03:05.031000", "created": "2023-11-29T08:44:33.833000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "886 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef086bb01eb6f30b8597", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:36.624000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef09a21dc287daf71a1d", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:37.702000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65699d274c86d8025b6b5938", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-01T08:45:27.066000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "654eef09a21dc287daf71a1d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a96c4f39ec3cdc99278cb", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-02T02:30:28.464000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "65699d274c86d8025b6b5938", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e13c913bc37ad98c7c931", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-10T11:01:15.222000", "created": "2023-11-10T11:28:09.076000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654e18affed10c7873a5db4b", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East between 2023 and 2028, as well as a range of other targets.", "modified": "2023-12-10T11:01:15.222000", "created": "2023-11-10T11:49:03.271000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Deploys Novel", "targeted_countries": [], "malware_families": [ { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Transportation", "Logistics", "Maritime", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654ded1db0806b3973a49cd3", "name": "IMPERIAL KITTEN Deploys Novel Malware Families", "description": "", "modified": "2023-12-10T08:04:00.194000", "created": "2023-11-10T08:43:09.784000", "tags": [ "imperial kitten", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "crowdstrike", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp" ], "references": [ "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 14, "email": 2, "hostname": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cdn-analytics.co", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cdn-analytics.co", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780448513.0793045 }