{ "type": "Domain", "indicator": "cewalton.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cewalton.com", "alexa": "http://www.alexa.com/siteinfo/cewalton.com", "indicator": "cewalton.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3999359864, "indicator": "cewalton.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6722ad6624869775e01cd675", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files", "description": "On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.", "modified": "2024-10-30T22:04:22.195000", "created": "2024-10-30T22:04:22.195000", "tags": [ "Midnight Blizzard", "russia", "RDP", "remote desktop", "phishing", "campaign", "UNC2452", "apt29", "Cozy Bear", "Backdoor", "HustleCon" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "public": 1, "adversary": "UNC2452", "targeted_countries": [], "malware_families": [ { "id": "HustleCon", "display_name": "HustleCon", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 146, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 276 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 386578, "modified_text": "577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67524a209fefbf5752821ca7", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "Microsoft is investigating a large-scale spear-phishing campaign targeting individuals, companies and governments in a range of sectors, as well as the Russian government, which is believed to be targeting Microsoft employees.", "modified": "2024-12-06T00:49:36.309000", "created": "2024-12-06T00:49:36.309000", "tags": [ "microsoft", "office", "rdp connection", "october", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "541 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672ab35bf473ce2dacd6c451", "name": "InQuest - 05-11-2024", "description": "", "modified": "2024-12-06T00:00:19.259000", "created": "2024-11-06T00:07:55.388000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "FileHash-MD5": 33, "URL": 474, "domain": 43, "hostname": 299, "FileHash-SHA1": 20 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67296341c2cf1ea0dcd07af6", "name": "InQuest - 04-11-2024", "description": "", "modified": "2024-12-05T00:01:00.059000", "created": "2024-11-05T00:13:53.185000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "URL": 481, "domain": 43, "FileHash-MD5": 33, "hostname": 301, "FileHash-SHA1": 20 }, "indicator_count": 1118, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672812847a9c534e9a56ce48", "name": "InQuest - 03-11-2024", "description": "", "modified": "2024-12-04T00:04:46.021000", "created": "2024-11-04T00:17:08.609000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6726c0f6d95b33af726583d1", "name": "InQuest - 02-11-2024", "description": "", "modified": "2024-12-03T00:01:44.191000", "created": "2024-11-03T00:16:54.875000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6725701ab2fe91b331357936", "name": "InQuest - 01-11-2024", "description": "", "modified": "2024-12-02T00:03:32.785000", "created": "2024-11-02T00:19:38.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "FileHash-MD5": 12, "URL": 409, "FileHash-SHA1": 2, "hostname": 298, "domain": 32 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "545 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67241e8c185ad2c3b5ead344", "name": "InQuest - 31-10-2024", "description": "", "modified": "2024-12-01T00:03:12.320000", "created": "2024-11-01T00:19:24.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "hostname": 287, "URL": 380, "domain": 20, "FileHash-SHA256": 343 }, "indicator_count": 1037, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67342870b23fd22cdb73989a", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "", "modified": "2024-11-13T04:17:52.678000", "created": "2024-11-13T04:17:52.678000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "public": 1, "adversary": "Midnight Blizzard", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "672c63f99254b32135263ffc", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "564 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672c63f99254b32135263ffc", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "", "modified": "2024-11-07T06:53:45.131000", "created": "2024-11-07T06:53:45.131000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "public": 1, "adversary": "Midnight Blizzard", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "672c63ccda2af4c23f770190", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "570 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672c63ccda2af4c23f770190", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "Microsoft is investigating a series of cyber-attacks targeting government and other public sectors, as well as a large-scale spear-phishing campaign conducted by Blizzard, which is currently being investigated by the US government.", "modified": "2024-11-07T06:53:00.205000", "created": "2024-11-07T06:53:00.205000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "public": 1, "adversary": "Midnight Blizzard", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "570 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67289ba39ba58bca2e7e65cf", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "Microsoft is investigating a series of cyber-attacks targeting government and other public sectors, as well as a large-scale spear-phishing campaign conducted by Blizzard, which is currently being investigated by the US government.", "modified": "2024-11-04T10:02:11.521000", "created": "2024-11-04T10:02:11.521000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6726018c228c295826e3f32d", "name": "Weaponized RDP Files Using for Phishing Attack", "description": "", "modified": "2024-11-02T10:40:12.457000", "created": "2024-11-02T10:40:12.457000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "575 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6722297c26507c2e415a61a9", "name": "Massive Midnight Blizzard Phishing Attack Via Weaponized RDP Files", "description": "Microsoft Threat Intelligence researchers recently discovered a massive Midnight Blizzard Phishing attack that has been using weaponized RDP files.", "modified": "2024-10-30T12:41:32.398000", "created": "2024-10-30T12:41:32.398000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 9, "URL": 28 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "578 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/", "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "related": { "alienvault": { "adversary": [ "UNC2452" ], "malware_families": [ "Hustlecon" ], "industries": [] }, "other": { "adversary": [ "Midnight Blizzard" ], "malware_families": [ "Apt29" ], "industries": [ "Diplomatic" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6722ad6624869775e01cd675", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files", "description": "On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.", "modified": "2024-10-30T22:04:22.195000", "created": "2024-10-30T22:04:22.195000", "tags": [ "Midnight Blizzard", "russia", "RDP", "remote desktop", "phishing", "campaign", "UNC2452", "apt29", "Cozy Bear", "Backdoor", "HustleCon" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "public": 1, "adversary": "UNC2452", "targeted_countries": [], "malware_families": [ { "id": "HustleCon", "display_name": "HustleCon", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 146, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 276 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 386578, "modified_text": "577 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67524a209fefbf5752821ca7", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "Microsoft is investigating a large-scale spear-phishing campaign targeting individuals, companies and governments in a range of sectors, as well as the Russian government, which is believed to be targeting Microsoft employees.", "modified": "2024-12-06T00:49:36.309000", "created": "2024-12-06T00:49:36.309000", "tags": [ "microsoft", "office", "rdp connection", "october", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "541 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672ab35bf473ce2dacd6c451", "name": "InQuest - 05-11-2024", "description": "", "modified": "2024-12-06T00:00:19.259000", "created": "2024-11-06T00:07:55.388000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "FileHash-MD5": 33, "URL": 474, "domain": 43, "hostname": 299, "FileHash-SHA1": 20 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67296341c2cf1ea0dcd07af6", "name": "InQuest - 04-11-2024", "description": "", "modified": "2024-12-05T00:01:00.059000", "created": "2024-11-05T00:13:53.185000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 240, "URL": 481, "domain": 43, "FileHash-MD5": 33, "hostname": 301, "FileHash-SHA1": 20 }, "indicator_count": 1118, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672812847a9c534e9a56ce48", "name": "InQuest - 03-11-2024", "description": "", "modified": "2024-12-04T00:04:46.021000", "created": "2024-11-04T00:17:08.609000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6726c0f6d95b33af726583d1", "name": "InQuest - 02-11-2024", "description": "", "modified": "2024-12-03T00:01:44.191000", "created": "2024-11-03T00:16:54.875000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 33, "URL": 410, "FileHash-SHA256": 42, "FileHash-MD5": 12, "FileHash-SHA1": 2, "hostname": 298 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6725701ab2fe91b331357936", "name": "InQuest - 01-11-2024", "description": "", "modified": "2024-12-02T00:03:32.785000", "created": "2024-11-02T00:19:38.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 42, "FileHash-MD5": 12, "URL": 409, "FileHash-SHA1": 2, "hostname": 298, "domain": 32 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "545 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67241e8c185ad2c3b5ead344", "name": "InQuest - 31-10-2024", "description": "", "modified": "2024-12-01T00:03:12.320000", "created": "2024-11-01T00:19:24.082000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "hostname": 287, "URL": 380, "domain": 20, "FileHash-SHA256": 343 }, "indicator_count": 1037, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "546 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67342870b23fd22cdb73989a", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "", "modified": "2024-11-13T04:17:52.678000", "created": "2024-11-13T04:17:52.678000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "public": 1, "adversary": "Midnight Blizzard", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "672c63f99254b32135263ffc", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "564 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672c63f99254b32135263ffc", "name": "Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files | Microsoft Security Blog", "description": "", "modified": "2024-11-07T06:53:45.131000", "created": "2024-11-07T06:53:45.131000", "tags": [ "microsoft", "office", "rdp connection", "endpoint", "aws iam", "surface", "rdp attachment", "filename", "timestamp", "iam identity", "service", "turn", "team", "ukraine", "rats", "defender", "suspicious", "project", "sentinel", "twitter", "apt29" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/?s=31" ], "public": 1, "adversary": "Midnight Blizzard", "targeted_countries": [], "malware_families": [ { "id": "APT29", "display_name": "APT29", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "672c63ccda2af4c23f770190", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 5, "hostname": 276 }, "indicator_count": 282, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "570 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cewalton.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cewalton.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780265049.5819807 }