{ "type": "Domain", "indicator": "chcp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/chcp.com", "alexa": "http://www.alexa.com/siteinfo/chcp.com", "indicator": "chcp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2335490490, "indicator": "chcp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "68a6827e930a07d2130dda50", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-21T02:20:46.919000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624af93af4f74a77c27d2024", "name": "Stolen Images Campaign Ends in Conti Ransomware", "description": "In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.\n\nUpon execution of the IcedID DLL, discovery activity was performed which was followed by the dropping of a Cobalt Strike beacon on the infected host. Along the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the environment. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly after Christmas), resulting in domain wide encryption.", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T13:57:14.054000", "tags": [ "Conti", "Ransomware", "IcedID", "malspam" ], "references": [ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null } ], "attack_ids": [ { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 306, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "YARA": 2, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 17, "FileHash-SHA256": 9, "SSLCertFingerprint": 4, "URL": 9, "domain": 7, "hostname": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386769, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01354e0f96f44818129b27", "name": "W11 - 05.08.26 - ASUS Clone_UAlberta AHS GoA - Files Only", "description": "Scan of AHS/Covenant Health, UAlberta, GoA Domain Joined Device\nW11 - 05.08.26 - P1-P6\nRestricted", "modified": "2026-05-11T17:13:37.959000", "created": "2026-05-11T01:47:58.771000", "tags": [ "YARA", "Jupyter_infostealer", "dependsonpythonailib", "classified", "CP_Script_Inject_Detector", "vmdetect", "Check_Dlls", "NET\thttps://yaraify.abuse.ch/search/yara/NET/", "Sus_CMD_Powershell_Usage", "test_rule_vldslv", "FreddyBearDropper" ], "references": [ "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21693, "FileHash-SHA1": 1413, "FileHash-SHA256": 1420, "domain": 26, "hostname": 24 }, "indicator_count": 24576, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc169209973de0dc1918f", "name": "vxCube \u2014 Report", "description": "A sample of malware has been found on a Windows operating system by researchers at the University of California, San Francisco, and the US National Security Agency (NSA) in New York, which is part of the Malware Research Unit.", "modified": "2026-05-01T06:09:34.266000", "created": "2026-04-01T06:55:37.276000", "tags": [ "programfiles", "full path", "windir", "behavior pid", "behavior", "temp", "system32", "installer", "system", "yes dump", "dump", "path" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 2, "hostname": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc1686580c9f4e66f563e", "name": "vxCube \u2014 Report", "description": "A sample of malware has been found on a Windows operating system by researchers at the University of California, San Francisco, and the US National Security Agency (NSA) in New York, which is part of the Malware Research Unit.", "modified": "2026-05-01T06:09:34.266000", "created": "2026-04-01T06:55:36.614000", "tags": [ "programfiles", "full path", "windir", "behavior pid", "behavior", "temp", "system32", "installer", "system", "yes dump", "dump", "path" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 4, "hostname": 8 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b48ea78085bbda7a865868", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-12T22:04:09.704000", "created": "2026-03-13T22:24:39.736000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 14, "domain": 13, "hostname": 37 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49187d33c6df06eed1b57", "name": "vxCube \u2014 Report", "description": "need to strudy sample furrher prelim look unauth. google cloud domain use", "modified": "2026-04-12T00:05:39.579000", "created": "2026-03-13T22:36:55.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4296, "FileHash-SHA1": 5, "URL": 6, "domain": 15, "hostname": 18, "FileHash-SHA256": 4 }, "indicator_count": 4344, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695d668ac3fccc66d2f6d1a8", "name": "A. Random to Upload\\System32.zip\\System32", "description": "E:\\Suss-SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\A. Random to Upload\\System32.zip\\System32", "modified": "2026-02-05T00:04:00.617000", "created": "2026-01-06T19:46:17.990000", "tags": [ "random", "drive", "problems1", "data", "no problems", "upload", "progressa", "fri sep", "mon sep", "mon mar", "look", "first", "dllinject", "june", "powershell", "internal", "rooter", "alphabet", "code", "error", "info", "whirlpool", "null", "false", "write", "getad", "malware", "strings", "format", "plugx", "open", "spyeye", "config", "stream", "click", "shade", "spectre", "Microsoft", "Windows", "System32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 5086, "FileHash-SHA1": 3168, "FileHash-SHA256": 2935, "domain": 55, "email": 3, "hostname": 18 }, "indicator_count": 11282, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7e3908cb4884ad6efbd67", "name": "TTP - A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "\u672c\u62a5\u544a\u63ed\u793a\u4e86 CORNFLAKE.V3 \u540e\u95e8 \u7684\u6280\u672f\u7ec6\u8282\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u7531 UNC5774\uff08\u8d22\u52a1\u52a8\u673a\u578b\u56e2\u4f19\uff09 \u4f7f\u7528\uff0c\u5e76\u901a\u8fc7 UNC5518 \u7684 ClickFix \u653b\u51fb\u670d\u52a1 \u83b7\u5f97\u521d\u59cb\u8bbf\u95ee\u6743\u9650\u3002\u4e0d\u540c\u4e8e\u4e4b\u524d\u7684 V1 (C \u8bed\u8a00\u4e0b\u8f7d\u5668) \u548c V2 (JS \u4e0b\u8f7d\u5668)\uff0cV3 \u5df2\u8fdb\u5316\u4e3a JS/PHP \u7f16\u5199\u7684\u5b8c\u6574\u540e\u95e8\uff0c\u652f\u6301\u6301\u4e45\u5316\u3001\u7cfb\u7edf\u4fa6\u5bdf\u3001\u51ed\u8bc1\u7a83\u53d6\u53ca\u6a2a\u5411\u79fb\u52a8\u3002\u5176 C2 \u901a\u8baf\u901a\u8fc7 HTTP + XOR \u7f16\u7801\uff0c\u5e76\u5229\u7528 Cloudflare Tunnel \u9690\u533f\u6d41\u91cf\u3002\u62a5\u544a\u540c\u65f6\u63ed\u793a\u5176 Node.js \u4e0e PHP \u53cc\u7248\u672c\u5b9e\u73b0\uff0c\u663e\u793a\u51fa\u6301\u7eed\u8fed\u4ee3\u548c\u89c4\u907f\u68c0\u6d4b\u7684\u8d8b\u52bf\u3002", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-22T03:27:12.781000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68a6827e930a07d2130dda50", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6438f99b44336ec1eda95", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor.", "description": "The CORNFLAKE.V3 backdoor, part of a campaign associated with the threat groups UNC5518 and UNC5774, has been under investigation by Mandiant Threat Defense since mid-2024. UNC5518 predominantly exploits legitimate websites by serving fake CAPTCHA verification pages to distribute a downloader script, initiating a malware infection chain. This financial-driven group often collaborates with other actors who utilize the access gained for further malicious deployments.", "modified": "2025-09-19T21:00:18.229000", "created": "2025-08-20T21:52:15.188000", "tags": [ "unc5518", "mandiant threat", "defense", "unc5774", "mandiant", "http", "series straight", "june", "powershell", "voltmarker", "netsupport", "php", "cornflake.v3 php", "javascript", "node.js", "windytwist.sea", "java windytwist", "cornflake", "cornflake.v3" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "CORNFLAKE.V3 PHP", "display_name": "CORNFLAKE.V3 PHP", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "Node.js", "display_name": "Node.js", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null }, { "id": "Java WINDYTWIST", "display_name": "Java WINDYTWIST", "target": null }, { "id": "CORNFLAKE", "display_name": "CORNFLAKE", "target": null }, { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790f7840b7f710153297818", "name": "Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams \u201cvishing\u201d – Sophos News", "description": "Sophos X-Ops\u2019 Managed Detection and Response (MDR) has published an in-depth report on two new threat clusters, each linked to the Black Basta ransomware campaign.", "modified": "2025-02-21T13:01:37.390000", "created": "2025-01-22T13:49:56.485000", "tags": [ "discovery", "command", "control", "sophos mdr", "command line", "ck ttp", "stac5143", "bypass noexit", "fin7", "quick assist", "python", "powershell", "prior", "black basta" ], "references": [ "https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Black Basta", "display_name": "Black Basta", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66787d5a6185154041c0a9fd", "name": "Copy of getting files onto OTX - Windows system32 sha256 dump (filtered)", "description": "", "modified": "2024-06-27T23:29:05.404000", "created": "2024-06-23T19:54:02.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "667879806fcf703f9b4b99de", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 865, "domain": 39, "hostname": 3 }, "indicator_count": 913, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "703 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "667879806fcf703f9b4b99de", "name": "My workaround to getting files onto OTX - Windows system32 sha256 dump", "description": "I have been trying to create a pulse in regards to multiple files failing integrity checks as well as invalid signatures, some with no signatures, and unconfirmed IoC's pertaining to APT28. This is just to get the hashes and files names into the community. What i was having to do is use vt-cli on Linux to upload the files (which I'm still doing on due to API quota restrictions) and then just calculating the sha256's of the files directly, and then copy and pasting them into the create page. Take it as you will. Stay tuned.", "modified": "2024-06-23T19:37:36.619000", "created": "2024-06-23T19:37:36.619000", "tags": [ "dev56a0", "subsys3937", "deva780", "subsysd000", "management", "task", "clientad rms", "policy template", "refresh", "scan", "defender", "loader" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA256": 15578, "domain": 228, "hostname": 23 }, "indicator_count": 15848, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "708 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ee2668cad3bfce7a474d79", "name": "IOC's from my personal devices for the week starting 08/28/23 - leveraging Yara, overwhelmed", "description": "placeholder\n\nAt current I have well over 2000 detentions just on this one device - I'm working on getting everything presentable.", "modified": "2024-02-10T03:37:00.560000", "created": "2023-08-29T17:10:00.158000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f379639e77ae81f51fb1a6", "name": "IOC's from my personal devices for the week starting 08/28/23 (byMeekd1904) hmm?", "description": "", "modified": "2023-09-02T18:05:23.864000", "created": "2023-09-02T18:05:23.864000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "indicator", "file", "ck id", "mitre att", "show technique", "ck matrix", "hybrid analysis", "suspicious", "hybrid", "close", "click", "august", "crypto", "strings", "malicious", "podcast", "team", "june", "error", "virtual size", "fail", "media", "path", "entropy", "alienvault", "open threat" ], "references": [ "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://tria.ge/230825-pdyvdabe74", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086" ], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [ { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "Poet RAT", "display_name": "Poet RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "TrojanDropper:Win32/Ponmocup", "display_name": "TrojanDropper:Win32/Ponmocup", "target": "/malware/TrojanDropper:Win32/Ponmocup" }, { "id": "Shylock", "display_name": "Shylock", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "TrojanSpy:Win32/Warpp", "display_name": "TrojanSpy:Win32/Warpp", "target": "/malware/TrojanSpy:Win32/Warpp" }, { "id": "IronTiger", "display_name": "IronTiger", "target": null }, { "id": "wimmie", "display_name": "wimmie", "target": null }, { "id": "lsadump", "display_name": "lsadump", "target": null }, { "id": "SURTR", "display_name": "SURTR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": "64ee2668cad3bfce7a474d79", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 46, "FileHash-SHA256": 68, "URL": 119, "domain": 36, "hostname": 88, "email": 1, "SSLCertFingerprint": 5 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "1003 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624a9bc20d37c6f8b4b8c5fd", "name": "Stolen Images Campaign Ends in Conti Ransomware", "description": "Here is the timeline of the intrusion from December 2021 and how the malware ended up in Conti ransomware on the 19th day, April 04, 2022, by the end of this year..", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T07:18:26.468000", "tags": [ "cobalt strike", "conti", "icedid", "stolen images", "ryuk", "et", "strong", "email", "icedid dll", "atera agent", "c2 server", "http", "atera", "command", "path", "april", "defender", "mimikatz", "christmas", "bazarloader", "covenant", "metasploit", "empire", "poshc2", "execution", "persistence", "agent", "win32", "explorer", "lsass", "tools", "streamer", "impact", "ransom", "date", "twitter" ], "references": [ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Stolen Images", "display_name": "Stolen Images", "target": null } ], "attack_ids": [ { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 17, "FileHash-SHA256": 9, "SSLCertFingerprint": 4, "URL": 9, "domain": 7, "hostname": 2 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "WTF.pdf", "https://otx.alienvault.com/indicator/file/cbb9ab5848535b5ff8c79badc80efc77e7dd4200b192c14c5990993919b3b156", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://n0paste.eu/UH6n5pD/", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/", "https://hybrid-analysis.com/sample/f0da979013dc3adf7841d93af10dd5d12907752954bde8ca0bb2f027e869f086/6463a5722450ab7d6c0b893e", "https://otx.alienvault.com/indicator/file/5987131af62bc75d60f1f8894be2f75d709d8a328570259457063ccfac7f59ca", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://hybrid-analysis.com/sample/2a061121e90f3354504a1546b1ca4c71252d02c99b7f677f29602aaa95f91c9e/64e8955eca839267790e3ef3", "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "https://otx.alienvault.com/indicator/file/0630d8faa930aa80f7fb6b27ff51e082151b64882c69319eba561280da3064ec", "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://otx.alienvault.com/indicator/file/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/", "https://hybrid-analysis.com/sample/4db808dc54c9ef1fdad38f1fb7b1ea11be64dbadd8c38d02fa1e66c6eb3c1ed2", "https://tria.ge/230825-pdyvdabe74", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061" ], "related": { "alienvault": { "adversary": [ "UNC5518 and UNC5774", "Conti" ], "malware_families": [ "Cornflake.v3", "Windytwist.sea", "Conti" ], "industries": [] }, "other": { "adversary": [ "N/A", "UNC5518 and UNC5774", "Conti" ], "malware_families": [ "Cornflake", "Black basta", "Icedid", "Surtr", "Stolen images", "Irontiger", "Virus:win95/cerebrus", "Trojandropper:win32/ponmocup", "Cobalt strike", "Shylock", "Trojan:linux/rootkit", "Ryuk", "Cornflake.v3 php", "Node.js", "Php", "Wimmie", "Cornflake.v3", "Trojanspy:win32/warpp", "Java windytwist", "Et", "Conti", "Windytwist.sea", "Lsadump", "Spyeye", "Poet rat", "Netsupport", "Javascript" ], "industries": [ "Technology", "Healthcare", "Individuals", "Education", "Government", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "68a6827e930a07d2130dda50", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-21T02:20:46.919000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624af93af4f74a77c27d2024", "name": "Stolen Images Campaign Ends in Conti Ransomware", "description": "In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.\n\nUpon execution of the IcedID DLL, discovery activity was performed which was followed by the dropping of a Cobalt Strike beacon on the infected host. Along the way, the threat actors installed remote management tools such as Atera and Splashtop for persisting in the environment. While remaining dormant most of the time, the adversary deployed Conti ransomware on the 19th day (shortly after Christmas), resulting in domain wide encryption.", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T13:57:14.054000", "tags": [ "Conti", "Ransomware", "IcedID", "malspam" ], "references": [ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null } ], "attack_ids": [ { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 306, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "YARA": 2, "CVE": 2, "FileHash-MD5": 14, "FileHash-SHA1": 17, "FileHash-SHA256": 9, "SSLCertFingerprint": 4, "URL": 9, "domain": 7, "hostname": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386769, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01354e0f96f44818129b27", "name": "W11 - 05.08.26 - ASUS Clone_UAlberta AHS GoA - Files Only", "description": "Scan of AHS/Covenant Health, UAlberta, GoA Domain Joined Device\nW11 - 05.08.26 - P1-P6\nRestricted", "modified": "2026-05-11T17:13:37.959000", "created": "2026-05-11T01:47:58.771000", "tags": [ "YARA", "Jupyter_infostealer", "dependsonpythonailib", "classified", "CP_Script_Inject_Detector", "vmdetect", "Check_Dlls", "NET\thttps://yaraify.abuse.ch/search/yara/NET/", "Sus_CMD_Powershell_Usage", "test_rule_vldslv", "FreddyBearDropper" ], "references": [ "https://www.virustotal.com/graph/embed/g3944caf296a54705bdbfd7cec9e92c05e20a53d0d3814c17b06bc7057c5b2472?theme=dark", "https://www.virustotal.com/gui/collection/91b6e1b77529d1af156e6626798d259c4cef8c366359f7bd030f84a8f6e16844/iocs", "https://www.virustotal.com/graph/embed/gf16ea757421742d8b025d78d53b5bdbc437ba572bcd440ec9b1537d454bd7141?theme=dark", "https://www.virustotal.com/gui/collection/207a9894ae39ecf054b7beae2c3d3bf8cc7978562eab9a17d7c8e1db95c634df/iocs", "https://www.virustotal.com/graph/embed/gca730d4ad5d04cd9932324db97a38c0b7b4cdb8848264962ab20ef48b3e00704?theme=dark", "https://www.virustotal.com/gui/collection/f1139bc311b44effd63c5f3c895386ffb5a15c012d0e1b3efcdad7a9f43af977/iocs", "https://www.virustotal.com/gui/collection/c42190433e95fe4960d3c57ec81e869fd063c7c98fe08de1e61c5c7b82ce7951/iocs", "https://www.virustotal.com/gui/collection/c01ec3ced8ca33a975e8f41324fe1f9cf2a3e5682137084e8f61c09d3121c3c8/iocs", "https://www.virustotal.com/gui/collection/3be31d72071834427b2c433fc5bf71a8288a47ed83012931ac676d56597415ce/iocs", "https://metadefender.com/results/file/bzI2MDUxMWc0TkVtTmRpT3g3eUh5VnhWTmZV", "https://www.virustotal.com/gui/file/caf6170928c2aa757b4b40593ee640353163e51777f1e41a2cb6e0e46c000b28/detection", "https://www.filescan.io/uploads/6a01fd27df14f1cb2ad02927/reports/5891da9f-7e53-46ae-a484-185895cae2d7/overview", "https://opentip.kaspersky.com/CAF6170928C2AA757B4B40593EE640353163E51777F1E41A2CB6E0E46C000B28/results?tab=upload", "https://yaraify.abuse.ch/scan/results/0890b04c-4d59-11f1-badc-42010aa4000b", "https://hybrid-analysis.com/file-collection/6a020a3c5aacd57afc0aa061" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21693, "FileHash-SHA1": 1413, "FileHash-SHA256": 1420, "domain": 26, "hostname": 24 }, "indicator_count": 24576, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc169209973de0dc1918f", "name": "vxCube \u2014 Report", "description": "A sample of malware has been found on a Windows operating system by researchers at the University of California, San Francisco, and the US National Security Agency (NSA) in New York, which is part of the Malware Research Unit.", "modified": "2026-05-01T06:09:34.266000", "created": "2026-04-01T06:55:37.276000", "tags": [ "programfiles", "full path", "windir", "behavior pid", "behavior", "temp", "system32", "installer", "system", "yes dump", "dump", "path" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 2, "hostname": 4 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc1686580c9f4e66f563e", "name": "vxCube \u2014 Report", "description": "A sample of malware has been found on a Windows operating system by researchers at the University of California, San Francisco, and the US National Security Agency (NSA) in New York, which is part of the Malware Research Unit.", "modified": "2026-05-01T06:09:34.266000", "created": "2026-04-01T06:55:36.614000", "tags": [ "programfiles", "full path", "windir", "behavior pid", "behavior", "temp", "system32", "installer", "system", "yes dump", "dump", "path" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00000006e9d3a7e85d1f1e7711787b9a117655e249a565122ee12e9962199007_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775026717&Signature=P%2F3i0d%2BIUziFsVDwbIrETA3W8SZkGFTf3wlrvLmXvqfsRRGETKVexx%2FRUhepf6twXoZbd3ew9epae1DM%2BkYuoz%2FbTCjhBM7tT84GMZWqMB7xmN%2BcbhNt4IxbjX3H%2F1n7lZARIWNbDvRmIxuAO6gK1OdFXAmvXwp9uelNAWlT958ZX32XsGQzwQPfNna7LyY67bLa5eFdHy3eh2dZYEus2WXbJQtw743TkA5kOu2o0aoi0%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 4, "hostname": 8 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b48ea78085bbda7a865868", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-12T22:04:09.704000", "created": "2026-03-13T22:24:39.736000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 14, "domain": 13, "hostname": 37 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49187d33c6df06eed1b57", "name": "vxCube \u2014 Report", "description": "need to strudy sample furrher prelim look unauth. google cloud domain use", "modified": "2026-04-12T00:05:39.579000", "created": "2026-03-13T22:36:55.274000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4296, "FileHash-SHA1": 5, "URL": 6, "domain": 15, "hostname": 18, "FileHash-SHA256": 4 }, "indicator_count": 4344, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695d668ac3fccc66d2f6d1a8", "name": "A. Random to Upload\\System32.zip\\System32", "description": "E:\\Suss-SG2\\Backup Drive 2 - UAlberta OneDrive\\User - ualberta.ca\\No Problems\\1. Data for No Problems - Analysis and Upload in Progress\\A. Random to Upload\\System32.zip\\System32", "modified": "2026-02-05T00:04:00.617000", "created": "2026-01-06T19:46:17.990000", "tags": [ "random", "drive", "problems1", "data", "no problems", "upload", "progressa", "fri sep", "mon sep", "mon mar", "look", "first", "dllinject", "june", "powershell", "internal", "rooter", "alphabet", "code", "error", "info", "whirlpool", "null", "false", "write", "getad", "malware", "strings", "format", "plugx", "open", "spyeye", "config", "stream", "click", "shade", "spectre", "Microsoft", "Windows", "System32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 5086, "FileHash-SHA1": 3168, "FileHash-SHA256": 2935, "domain": 55, "email": 3, "hostname": 18 }, "indicator_count": 11282, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7e3908cb4884ad6efbd67", "name": "TTP - A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "\u672c\u62a5\u544a\u63ed\u793a\u4e86 CORNFLAKE.V3 \u540e\u95e8 \u7684\u6280\u672f\u7ec6\u8282\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u7531 UNC5774\uff08\u8d22\u52a1\u52a8\u673a\u578b\u56e2\u4f19\uff09 \u4f7f\u7528\uff0c\u5e76\u901a\u8fc7 UNC5518 \u7684 ClickFix \u653b\u51fb\u670d\u52a1 \u83b7\u5f97\u521d\u59cb\u8bbf\u95ee\u6743\u9650\u3002\u4e0d\u540c\u4e8e\u4e4b\u524d\u7684 V1 (C \u8bed\u8a00\u4e0b\u8f7d\u5668) \u548c V2 (JS \u4e0b\u8f7d\u5668)\uff0cV3 \u5df2\u8fdb\u5316\u4e3a JS/PHP \u7f16\u5199\u7684\u5b8c\u6574\u540e\u95e8\uff0c\u652f\u6301\u6301\u4e45\u5316\u3001\u7cfb\u7edf\u4fa6\u5bdf\u3001\u51ed\u8bc1\u7a83\u53d6\u53ca\u6a2a\u5411\u79fb\u52a8\u3002\u5176 C2 \u901a\u8baf\u901a\u8fc7 HTTP + XOR \u7f16\u7801\uff0c\u5e76\u5229\u7528 Cloudflare Tunnel \u9690\u533f\u6d41\u91cf\u3002\u62a5\u544a\u540c\u65f6\u63ed\u793a\u5176 Node.js \u4e0e PHP \u53cc\u7248\u672c\u5b9e\u73b0\uff0c\u663e\u793a\u51fa\u6301\u7eed\u8fed\u4ee3\u548c\u89c4\u907f\u68c0\u6d4b\u7684\u8d8b\u52bf\u3002", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-22T03:27:12.781000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68a6827e930a07d2130dda50", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6438f99b44336ec1eda95", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor.", "description": "The CORNFLAKE.V3 backdoor, part of a campaign associated with the threat groups UNC5518 and UNC5774, has been under investigation by Mandiant Threat Defense since mid-2024. UNC5518 predominantly exploits legitimate websites by serving fake CAPTCHA verification pages to distribute a downloader script, initiating a malware infection chain. This financial-driven group often collaborates with other actors who utilize the access gained for further malicious deployments.", "modified": "2025-09-19T21:00:18.229000", "created": "2025-08-20T21:52:15.188000", "tags": [ "unc5518", "mandiant threat", "defense", "unc5774", "mandiant", "http", "series straight", "june", "powershell", "voltmarker", "netsupport", "php", "cornflake.v3 php", "javascript", "node.js", "windytwist.sea", "java windytwist", "cornflake", "cornflake.v3" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "CORNFLAKE.V3 PHP", "display_name": "CORNFLAKE.V3 PHP", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "Node.js", "display_name": "Node.js", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null }, { "id": "Java WINDYTWIST", "display_name": "Java WINDYTWIST", "target": null }, { "id": "CORNFLAKE", "display_name": "CORNFLAKE", "target": null }, { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "chcp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "chcp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780352286.085684 }