{ "type": "Domain", "indicator": "cheapy.host", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cheapy.host", "alexa": "http://www.alexa.com/siteinfo/cheapy.host", "indicator": "cheapy.host", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4146290778, "indicator": "cheapy.host", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "690cee4f0a00b80c63983535", "name": "Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "German hosting provider aurologic GmbH has become a central hub for high-risk hosting networks, providing upstream transit to multiple threat activity enablers. These include sanctioned entities like Aeza Group and other providers associated with cybercrime and disinformation campaigns. aurologic's continued service to these networks, despite public scrutiny and sanctions, raises questions about the line between neutrality and negligence in internet infrastructure. The company's reactive abuse handling and reliance on legal compliance over proactive risk management have allowed malicious actors to maintain operational stability. This case highlights broader challenges in accountability within the hosting ecosystem and the need for upstream providers to take greater responsibility in preventing infrastructure abuse.", "modified": "2025-11-06T20:08:13.685000", "created": "2025-11-06T18:51:59.847000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386944, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69116694288b0caea1c62710", "name": "Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "", "modified": "2025-11-10T04:14:12.355000", "created": "2025-11-10T04:14:12.355000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "690cee4f0a00b80c63983535", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "204 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690da0b5120b7b89af524483", "name": "IOC - Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "", "modified": "2025-11-07T07:33:09.814000", "created": "2025-11-07T07:33:09.814000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "690cee4f0a00b80c63983535", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "207 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium", "Nov.Week2.csv", "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology", "Telecommunications" ] }, "other": { "adversary": [ "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu" ], "malware_families": [], "industries": [ "Technology", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "690cee4f0a00b80c63983535", "name": "Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "German hosting provider aurologic GmbH has become a central hub for high-risk hosting networks, providing upstream transit to multiple threat activity enablers. These include sanctioned entities like Aeza Group and other providers associated with cybercrime and disinformation campaigns. aurologic's continued service to these networks, despite public scrutiny and sanctions, raises questions about the line between neutrality and negligence in internet infrastructure. The company's reactive abuse handling and reliance on legal compliance over proactive risk management have allowed malicious actors to maintain operational stability. This case highlights broader challenges in accountability within the hosting ecosystem and the need for upstream providers to take greater responsibility in preventing infrastructure abuse.", "modified": "2025-11-06T20:08:13.685000", "created": "2025-11-06T18:51:59.847000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386944, "modified_text": "207 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69116694288b0caea1c62710", "name": "Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "", "modified": "2025-11-10T04:14:12.355000", "created": "2025-11-10T04:14:12.355000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "690cee4f0a00b80c63983535", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "204 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690da0b5120b7b89af524483", "name": "IOC - Malicious Infrastructure Finds Stability with aurologic GmbH", "description": "", "modified": "2025-11-07T07:33:09.814000", "created": "2025-11-07T07:33:09.814000", "tags": [ "castleloader", "neutrality", "systembc", "transit", "cybercrime", "lumma", "redline stealer", "phorpiex", "disinformation", "dcrat", "asyncrat", "sanctions", "meduza stealer", "cobalt strike", "thc hydra", "amadey", "stealc", "hosting", "infrastructure", "remcos rat", "upstream", "tinyloader", "abuse", "moobot", "bianlian", "aurologic", "destiny stealer", "quasarrat", "latrodectus", "svcstealer", "rhadamanthys stealer", "darkcomet", "vidar", "dark crystal rat", "risepro stealer", "aurotun", "castlerat", "sliver" ], "references": [ "https://www.recordedfuture.com/research/malicious-infrastructure-finds-stability-with-aurologic-gmbh", "https://www.recordedfuture.com/research/media_1bfe9de2bfeea34dcb206c1c308f99a7b25b68b32.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Iran, Islamic Republic of", "Russian Federation", "Serbia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "690cee4f0a00b80c63983535", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "207 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cheapy.host", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cheapy.host", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780426652.8066556 }