{ "type": "Domain", "indicator": "chhimi.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/chhimi.com", "alexa": "http://www.alexa.com/siteinfo/chhimi.com", "indicator": "chhimi.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3940341113, "indicator": "chhimi.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a3b3a352d7c910fa5f4f96", "name": "The Evolving Threat of TAG-124", "description": "All photographs courtesy of AP, AFP, EPA, Getty Images, Reuters and Reuters/ GettyImages. (All images are copyrighted).. \u00c2\u00a31.5m.. and", "modified": "2025-03-07T18:02:24.372000", "created": "2025-02-05T18:53:23.378000", "tags": [], "references": [ "adv11.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28, "domain": 82, "hostname": 2 }, "indicator_count": 168, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d49e57b701c7b76e978fd6", "name": "AS62904 Eonix Corporation", "description": "", "modified": "2024-10-01T17:01:33.625000", "created": "2024-09-01T17:03:19.676000", "tags": [ "romancescam" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 874, "hostname": 3018 }, "indicator_count": 3892, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66baacc1582fd7f68851ae5f", "name": "AS210644 Aeza International Ltd", "description": "", "modified": "2024-09-12T00:05:20.569000", "created": "2024-08-13T00:45:53.530000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 1697, "hostname": 3077 }, "indicator_count": 4778, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base", "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf", "adv11.txt", "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg", "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "related": { "alienvault": { "adversary": [ "GrayAlpha" ], "malware_families": [ "Maskbat", "Powernet", "Netsupport rat" ], "industries": [ "Retail", "Hospitality", "Finance" ] }, "other": { "adversary": [ "Insikt", "GrayAlpha", "TAG-124" ], "malware_families": [ "", "Javascript", "Maskbat", "Remote access", "Netsupport rat", "Skuld", "Powernet", "Rhysida", "Interlock", "Insikt", "Socgholish", "Shadowpad", "Remcos" ], "industries": [ "Financial", "Retail", "Hospitality", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a3b3a352d7c910fa5f4f96", "name": "The Evolving Threat of TAG-124", "description": "All photographs courtesy of AP, AFP, EPA, Getty Images, Reuters and Reuters/ GettyImages. (All images are copyrighted).. \u00c2\u00a31.5m.. and", "modified": "2025-03-07T18:02:24.372000", "created": "2025-02-05T18:53:23.378000", "tags": [], "references": [ "adv11.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 28, "domain": 82, "hostname": 2 }, "indicator_count": 168, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1f245f3709030a9f0ccb7", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "A report by Insikt Group, based on an analysis of compromised WordPress sites, outlines the threat posed by a network of cybercriminal servers known as TAG-124, which is used to distribute malware.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:56:05.010000", "tags": [ "tag124", "cloudflare", "wordpress", "insikt group", "figure", "google chrome", "future", "urls", "ta582", "fake google", "rhysida", "powershell", "april", "insikt", "remcos", "interlock" ], "references": [ "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "REMCOS", "display_name": "REMCOS", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 2, "domain": 254, "hostname": 112 }, "indicator_count": 458, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679ba047fa5e47a0f6e2c071", "name": "TAG-124\u2019s Multi-Layered TDS Infrastructure and Extensive User Base", "description": "https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base\n\nInsikt Group has identified multi-layered infrastructure linked to a traffic distribution system (TDS) tracked by Recorded Future as TAG-124, which overlaps with threat activity clusters known as LandUpdate808, 404TDS, KongTuke, and Chaya_002. TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components. The threat actors behind TAG-124 demonstrate high levels of activity, including regularly updating URLs embedded in the compromised WordPress sites, adding servers, refining TDS logic to evade detection, and adapting infection tactics, as demonstrated by their recent implementation of the ClickFix technique.", "modified": "2025-03-01T15:01:42.461000", "created": "2025-01-30T15:52:39.738000", "tags": [ "fake google", "chrome update", "matomo instance", "remcos rat", "c2 ip", "address", "ta582", "hashes" ], "references": [], "public": 1, "adversary": "TAG-124", "targeted_countries": [], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "InformationTechnogyISAC", "id": "141282", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 30, "domain": 234, "hostname": 105 }, "indicator_count": 383, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d49e57b701c7b76e978fd6", "name": "AS62904 Eonix Corporation", "description": "", "modified": "2024-10-01T17:01:33.625000", "created": "2024-09-01T17:03:19.676000", "tags": [ "romancescam" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 874, "hostname": 3018 }, "indicator_count": 3892, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66baacc1582fd7f68851ae5f", "name": "AS210644 Aeza International Ltd", "description": "", "modified": "2024-09-12T00:05:20.569000", "created": "2024-08-13T00:45:53.530000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 1697, "hostname": 3077 }, "indicator_count": 4778, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "chhimi.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "chhimi.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780389926.768635 }