{ "type": "Domain", "indicator": "checkponit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/checkponit.com", "alexa": "http://www.alexa.com/siteinfo/checkponit.com", "indicator": "checkponit.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4036203402, "indicator": "checkponit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67ad1528608f24b71bcea41b", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-12T21:39:52.146000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2f13832155bc5dfad296d", "name": "FINALDRAFT Malware Abuses Outlook for C2 Communications", "description": "A newly discovered cyber espionage campaign has been linked to a threat group known as REF7707, which has been targeting government and academic institutions since November 2024. Researchers said the attackers infiltrated a foreign ministry in South America, along with a university and a telecom company in Southeast Asia, using advanced malware with remote access capabilities.", "modified": "2025-03-19T08:03:48.856000", "created": "2025-02-17T08:20:08.494000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af309efc6f5de1cd9ef928", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:01:34.802000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af3355478fdffe2019aa39", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:13:09.070000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67adc07895a547efedcbbf76", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-15T09:02:47.004000", "created": "2025-02-13T09:50:48.440000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2be450355dada78bd81ec", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-17T04:42:45.282000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": "67ad1528608f24b71bcea41b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b4315a7693c5e24dd76983", "name": "You've Got Malware: FINALDRAFT Hides in Your Drafts \u2014 Elastic Security Labs", "description": "A new family of malware using Microsoft\u2019s Graph API has been developed and used in an espionage campaign, a report by Elastic Security Labs suggests. and it is likely to be a well-organised campaign.", "modified": "2025-02-18T07:06:00.263000", "created": "2025-02-18T07:06:00.263000", "tags": [ "finaldraft", "pathloader", "outlook", "microsoft graph", "valid", "ref7707", "elf variant", "below", "ntlm hash", "labs", "lsass", "execution", "siestagraph", "february", "powershell", "mimikatz", "service", "shell", "malware", "write", "bypass", "linux", "pe", "elf" ], "references": [ "https://www.elastic.co/security-labs/finaldraft#pass-the-hash-toolkit-pntx64dll" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Aaryanaggarwal", "id": "289580", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 3, "domain": 3, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "466 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b3440e023123a154792f5e", "name": "You've Got Malware: FINALDRAFT Hides in Your Drafts \u2014 Elastic Security Labs", "description": "A new family of malware using Microsoft\u2019s Graph API has been developed and used in an espionage campaign, a report by Elastic Security Labs suggests. and it is likely to be a well-organised campaign.", "modified": "2025-02-17T14:13:34.039000", "created": "2025-02-17T14:13:34.039000", "tags": [ "finaldraft", "pathloader", "outlook", "microsoft graph", "valid", "ref7707", "elf variant", "below", "ntlm hash", "labs", "lsass", "execution", "siestagraph", "february", "powershell", "mimikatz", "service", "shell", "malware", "write", "bypass", "linux", "pe", "elf" ], "references": [ "https://www.elastic.co/security-labs/finaldraft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 3, "domain": 3, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "467 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721", "https://www.elastic.co/security-labs/finaldraft#pass-the-hash-toolkit-pntx64dll", "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721", "https://www.elastic.co/security-labs/finaldraft", "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Finaldraft", "Pathloader", "Guiloader" ], "industries": [ "Education", "Government", "Telecommunications" ] }, "other": { "adversary": [], "malware_families": [ "Finaldraft", "Guiloader", "Linux", "Elf", "C:\\\\windows\\\\system32\\\\net1", "Pe", "Pathloader" ], "industries": [ "Education", "Government", "Foreign", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67ad1528608f24b71bcea41b", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-12T21:39:52.146000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2f13832155bc5dfad296d", "name": "FINALDRAFT Malware Abuses Outlook for C2 Communications", "description": "A newly discovered cyber espionage campaign has been linked to a threat group known as REF7707, which has been targeting government and academic institutions since November 2024. Researchers said the attackers infiltrated a foreign ministry in South America, along with a university and a telecom company in Southeast Asia, using advanced malware with remote access capabilities.", "modified": "2025-03-19T08:03:48.856000", "created": "2025-02-17T08:20:08.494000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af309efc6f5de1cd9ef928", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:01:34.802000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af3355478fdffe2019aa39", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:13:09.070000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67adc07895a547efedcbbf76", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-15T09:02:47.004000", "created": "2025-02-13T09:50:48.440000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2be450355dada78bd81ec", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-17T04:42:45.282000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": "67ad1528608f24b71bcea41b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b4315a7693c5e24dd76983", "name": "You've Got Malware: FINALDRAFT Hides in Your Drafts \u2014 Elastic Security Labs", "description": "A new family of malware using Microsoft\u2019s Graph API has been developed and used in an espionage campaign, a report by Elastic Security Labs suggests. and it is likely to be a well-organised campaign.", "modified": "2025-02-18T07:06:00.263000", "created": "2025-02-18T07:06:00.263000", "tags": [ "finaldraft", "pathloader", "outlook", "microsoft graph", "valid", "ref7707", "elf variant", "below", "ntlm hash", "labs", "lsass", "execution", "siestagraph", "february", "powershell", "mimikatz", "service", "shell", "malware", "write", "bypass", "linux", "pe", "elf" ], "references": [ "https://www.elastic.co/security-labs/finaldraft#pass-the-hash-toolkit-pntx64dll" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Aaryanaggarwal", "id": "289580", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 3, "domain": 3, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "466 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b3440e023123a154792f5e", "name": "You've Got Malware: FINALDRAFT Hides in Your Drafts \u2014 Elastic Security Labs", "description": "A new family of malware using Microsoft\u2019s Graph API has been developed and used in an espionage campaign, a report by Elastic Security Labs suggests. and it is likely to be a well-organised campaign.", "modified": "2025-02-17T14:13:34.039000", "created": "2025-02-17T14:13:34.039000", "tags": [ "finaldraft", "pathloader", "outlook", "microsoft graph", "valid", "ref7707", "elf variant", "below", "ntlm hash", "labs", "lsass", "execution", "siestagraph", "february", "powershell", "mimikatz", "service", "shell", "malware", "write", "bypass", "linux", "pe", "elf" ], "references": [ "https://www.elastic.co/security-labs/finaldraft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "ELF", "display_name": "ELF", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 3, "domain": 3, "hostname": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "467 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "checkponit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "checkponit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200376.3684504 }