{ "type": "Domain", "indicator": "ciscocdn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ciscocdn.com", "alexa": "http://www.alexa.com/siteinfo/ciscocdn.com", "indicator": "ciscocdn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3960513731, "indicator": "ciscocdn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "67ffc3f9b45a8daa24fcb4fe", "name": "UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell", "description": "Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.", "modified": "2025-04-16T18:04:46.571000", "created": "2025-04-16T14:51:37.819000", "tags": [ "china", "sliver", "snowlight", "linux", "vshell" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell" ], "public": 1, "adversary": "UNC5174", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 5, "hostname": 12 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 387010, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68018ec0d07bce6af1ad2c0d", "name": "InQuest - 17-04-2025", "description": "", "modified": "2025-05-17T23:00:53.793000", "created": "2025-04-17T23:29:04.810000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "domain": 109, "URL": 474, "hostname": 107, "FileHash-SHA256": 463, "FileHash-MD5": 20 }, "indicator_count": 1189, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68003f65380d5b54e3cd7580", "name": "InQuest - 16-04-2025", "description": "", "modified": "2025-05-16T23:04:47.236000", "created": "2025-04-16T23:38:13.521000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 540, "FileHash-MD5": 8, "FileHash-SHA256": 503, "hostname": 109, "domain": 142, "FileHash-SHA1": 19 }, "indicator_count": 1321, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ffa95f151c5344baf7419f", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-16T12:58:07.087000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6801d029c9e039c4cc2da8a1", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-18T04:08:09.746000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67ffa95f151c5344baf7419f", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff7c5a5163eb4b1d743547", "name": "China Hackers Launch Stealth Linux Attacks with SNOWLIGHT and VShell", "description": "A China-linked threat actor, tracked as UNC5174, has launched a new campaign using a variant of the SNOWLIGHT malware and a remote access trojan known as VShell to compromise Linux systems. The group is leveraging open-source tools to reduce costs, blend in with less advanced attackers, and evade detection.", "modified": "2025-05-16T09:01:05.301000", "created": "2025-04-16T09:46:02.608000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67feed521c3dc814c01f8642", "name": "InQuest - 15-04-2025", "description": "", "modified": "2025-05-15T23:00:16.595000", "created": "2025-04-15T23:35:46.230000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "FileHash-SHA256": 505, "FileHash-MD5": 59, "hostname": 120, "domain": 141, "FileHash-SHA1": 26 }, "indicator_count": 1395, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6800736fc3c0e6a4840d5ec6", "name": "IOC&TTP - UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare From SNOWLIGHT to VShell", "description": "\u5728\u6f5c\u4f0f\u8fd1\u4e00\u5e74\u7684\u65f6\u95f4\u540e\uff0c\u5a01\u80c1\u60c5\u62a5\u7814\u7a76\u56e2\u961f\uff08TRT\uff09\u53d1\u73b0\u4e86\u4e00\u4e2a\u7531\u4e2d\u56fd\u56fd\u5bb6\u652f\u6301\u7684\u653b\u51fb\u7ec4\u7ec7 UNC5174 \u53d1\u8d77\u7684\u65b0\u653b\u51fb\u884c\u52a8\u3002\u8be5\u7ec4\u7ec7\u5728 2025 \u5e74 1 \u6708\u4e0b\u65ec\u5f00\u59cb\u4f7f\u7528\u4e00\u6b3e\u65b0\u7684\u5f00\u6e90\u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09\u4e0e\u5168\u65b0\u57df\u540d\u57fa\u7840\u8bbe\u65bd\u3002\u7814\u7a76\u4eba\u5458\u9996\u5148\u53d1\u73b0\u4e86\u4e00\u4e2a\u6076\u610f\u7684 bash \u811a\u672c\uff0c\u8d1f\u8d23\u4e0b\u8f7d\u5e76\u5b89\u88c5\u591a\u4e2a\u6076\u610f\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u4ee5\u8fbe\u6210\u6301\u4e45\u5316\u76ee\u7684\u3002\u5176\u4e2d\u4e00\u4e2a\u4e0b\u8f7d\u7684\u53ef\u6267\u884c\u6587\u4ef6\u662f UNC5174 \u66fe\u5728\u65e9\u671f\u884c\u52a8\u4e2d\u90e8\u7f72\u7684\u201cSNOWLIGHT\u201d\u6076\u610f\u7a0b\u5e8f\uff0c\u540e\u7eed\u4f1a\u5728\u5185\u5b58\u4e2d\u6ce8\u5165\u4e00\u6b3e\u540d\u4e3a VShell \u7684\u65b0\u578b RAT\u3002VShell \u5728\u5730\u4e0b\u8bba\u575b\u4e2d\u9887\u53d7\u5173\u6ce8\uff0c\u5c24\u5176\u5728\u4e2d\u6587\u793e\u533a\u88ab\u89c6\u4e3a\u201c\u6bd4\u77e5\u540d\u7684 Cobalt Strike \u6846\u67b6\u66f4\u4f18\u79c0\u201d\u7684\u5de5\u5177\u3002\u901a\u8fc7\u8ffd\u8e2a\u5e76\u5bf9\u6bd4\u6b64\u524d\u76f8\u5173\u62a5\u544a\uff0c\u7814\u7a76\u4eba\u5458\u786e\u8ba4 UNC5174 \u5728\u672c\u6b21\u884c\u52a8\u4e2d\u4f7f\u7528\u4e86\u66f4\u7cbe\u5de7\u7684\u653b\u9632\u624b\u6bb5\uff0c\u5305\u62ec WebSockets \u4f5c\u4e3a\u547d\u4ee4\u4e0e\u63a7\u5236\uff08C2\uff09\u4fe1\u9053\uff0c\u5e76\u5229\u7528\u201c\u65e0\u6587\u4ef6\u201d\u5316\u8f7d\u8377\uff08fileless payload\uff09\u6765\u89c4\u907f\u68c0\u6d4b\u3002\u7ed3\u5408 UNC5174 \u5386\u6765\u7684\u884c\u52a8\u7279\u5f81\uff0c\u7814\u7a76\u8ba4\u4e3a\u8be5\u7ec4\u7ec7\u7684\u4e3b\u8981\u52a8\u673a\u53ef\u80fd\u5305\u62ec\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\u4ee5\u53ca\u5bf9\u5916\u51fa\u552e\u6216\u8f6c\u8ba9\u5165\u4fb5\u540e\u53d6\u5f97\u7684\u8bbf\u95ee\u6743\u9650\u3002\u56e2\u961f\u7531\u6b64\u5224\u65ad\uff0c\u8be5\u7ec4\u7ec7\u5c06\u7ee7\u7eed\u652f\u6301\u4e2d\u56fd\u653f\u5e9c\u5728\u7f51\u7edc\u9886\u57df\u7684\u60c5\u62a5\u6536\u96c6\u548c\u6f5c\u5728\u5f71\u54cd\u6d3b\u52a8\uff0c\u5e76\u53ef\u80fd\u4e0d\u65ad\u6269\u5145\u81ea\u8eab\u7684\u5b9a\u5236\u5316\u6216\u5f00\u6e90\u5316\u5de5\u5177\u7ec4\u5408\u6765\u9690\u533f\u8eab\u4efd\u3001\u7ef4\u6301\u957f\u4e45\u8bbf\u95ee\u3002", "modified": "2025-04-17T03:20:28.219000", "created": "2025-04-17T03:20:15.824000", "tags": [ "china", "sliver", "snowlight", "linux", "vshell" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell" ], "public": 1, "adversary": "UNC5174", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": "67ffc3f9b45a8daa24fcb4fe", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 5, "hostname": 12 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "412 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a8d0e4ce290033a1c68d51", "name": "SuperShell C2", "description": "", "modified": "2025-03-11T15:02:54.145000", "created": "2025-02-09T15:59:32.982000", "tags": [ "c2", "supershell" ], "references": [ "https://x.com/BlinkzSec/status/1888538690755891618", "https://privatebin.net/?e079e8c49cd7d2ae#4tbWnxqfdvNjWrStv4NtrWFr76AMzQt2LMCxGzVqqKie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 3 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677f9d7059174cdad6f42041", "name": "IoC Feed test", "description": "test", "modified": "2025-02-08T09:03:17.379000", "created": "2025-01-09T09:57:04.368000", "tags": [ "e http", "b5tu", "b6910", "anti", "vcommand3002" ], "references": [ "https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt", "https://urlhaus.abuse.ch/downloads/text_online/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy" ], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ste_avbr", "id": "262315", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12803, "FileHash-MD5": 23, "domain": 523, "hostname": 277, "CVE": 6, "FileHash-SHA1": 7 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677f9d73e8c5a667c1cfdd90", "name": "IoC Feed test", "description": "test", "modified": "2025-02-08T09:03:17.379000", "created": "2025-01-09T09:57:07.732000", "tags": [ "e http", "b5tu", "b6910", "anti", "vcommand3002" ], "references": [ "https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt", "https://urlhaus.abuse.ch/downloads/text_online/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy" ], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ste_avbr", "id": "262315", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12803, "FileHash-MD5": 23, "domain": 523, "hostname": 277, "CVE": 6, "FileHash-SHA1": 7 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677f9d750c21100324bd26a7", "name": "IoC Feed test", "description": "test", "modified": "2025-02-08T09:03:17.379000", "created": "2025-01-09T09:57:09.583000", "tags": [ "e http", "b5tu", "b6910", "anti", "vcommand3002" ], "references": [ "https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt", "https://urlhaus.abuse.ch/downloads/text_online/" ], "public": 1, "adversary": "", "targeted_countries": [ "Italy" ], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ste_avbr", "id": "262315", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12803, "FileHash-MD5": 23, "domain": 523, "hostname": 277, "CVE": 6, "FileHash-SHA1": 7 }, "indicator_count": 13639, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d9eb082ba8ee6c0db1c9cf", "name": "urlhaus.abuse.ch", "description": "", "modified": "2024-10-05T17:03:18.260000", "created": "2024-09-05T17:31:52.439000", "tags": [ "nda0e", "mozi", "clearlynotb", "coinminer", "cobaltstrike", "bitsight", "guloader", "redlinestealer", "stealc", "lummastealer", "vidar", "ransomware", "remcosrat", "asyncrat", "gandcrab", "agenttesla", "amadey", "systembc", "recordbreaker", "quasarrat", "spynote", "formbook", "babadeda", "metasploit", "metastealer", "loki", "blackmoon", "loader", "raccoonstealer", "piratestealer", "dridex", "cobalt strike", "stormkitty", "darktortilla", "venomrat", "sliver", "avemariarat", "neshta", "triada", "fakechrome", "grayware", "danabot", "darkgate", "connectback", "troldesh", "rhadamanthys", "nukesped", "tofsee", "purplefox", "earthworm", "azorult", "redosdru", "getshell", "donut", "aurora stealer", "laplasclipper", "redline", "wingo", "flyagent", "darkside", "badpotato", "juicypotato", "dharma", "casbaneiro", "clearfake", "parallax", "parallaxrat", "phonk", "qakbot", "purecrypter", "revengerat" ], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 95, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JohnnyCS", "id": "293079", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 3, "FileHash-SHA1": 8, "URL": 7927, "domain": 119, "hostname": 162 }, "indicator_count": 8228, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "605 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://labs.inquest.net/iocdb", "https://urlhaus.abuse.ch/downloads/json_online/", "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/", "https://threatfox.abuse.ch/export/csv/recent/", "https://x.com/BlinkzSec/status/1888538690755891618", "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell", "https://privatebin.net/?e079e8c49cd7d2ae#4tbWnxqfdvNjWrStv4NtrWFr76AMzQt2LMCxGzVqqKie", "https://urlhaus.abuse.ch/downloads/text_online/", "https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt" ], "related": { "alienvault": { "adversary": [ "UNC5174" ], "malware_families": [ "Sliver", "Snowlight", "Vshell" ], "industries": [ "Technology", "Defense", "Government", "Healthcare", "Energy" ] }, "other": { "adversary": [ "UNC5174" ], "malware_families": [ "Sliver", "Snowlight", "Vshell" ], "industries": [ "Technology", "Defense", "Government", "Healthcare", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "67ffc3f9b45a8daa24fcb4fe", "name": "UNC5174's evolution in China's ongoing cyber warfare: From SNOWLIGHT to VShell", "description": "Chinese state-sponsored threat actor UNC5174 has launched a new campaign using SNOWLIGHT malware and VShell, a Remote Access Trojan. The campaign targets Linux systems, employing domain squatting for phishing and social engineering. SNOWLIGHT acts as a dropper for VShell, which resides in memory as a fileless payload. The attackers use WebSockets for command and control communication, enhancing stealth. UNC5174's motivations include espionage and access brokering. The campaign has been active since November 2024, demonstrating sophisticated techniques such as memory manipulation and defense evasion. This development highlights the threat actor's expanding arsenal and continued support for Chinese government operations.", "modified": "2025-04-16T18:04:46.571000", "created": "2025-04-16T14:51:37.819000", "tags": [ "china", "sliver", "snowlight", "linux", "vshell" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell" ], "public": 1, "adversary": "UNC5174", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 5, "hostname": 12 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 387010, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68018ec0d07bce6af1ad2c0d", "name": "InQuest - 17-04-2025", "description": "", "modified": "2025-05-17T23:00:53.793000", "created": "2025-04-17T23:29:04.810000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "domain": 109, "URL": 474, "hostname": 107, "FileHash-SHA256": 463, "FileHash-MD5": 20 }, "indicator_count": 1189, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68003f65380d5b54e3cd7580", "name": "InQuest - 16-04-2025", "description": "", "modified": "2025-05-16T23:04:47.236000", "created": "2025-04-16T23:38:13.521000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 540, "FileHash-MD5": 8, "FileHash-SHA256": 503, "hostname": 109, "domain": 142, "FileHash-SHA1": 19 }, "indicator_count": 1321, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ffa95f151c5344baf7419f", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-16T12:58:07.087000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6801d029c9e039c4cc2da8a1", "name": "UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare: From SNOWLIGHT to VShell | Sysdig", "description": "", "modified": "2025-05-16T12:05:02.605000", "created": "2025-04-18T04:08:09.746000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "67ffa95f151c5344baf7419f", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff7c5a5163eb4b1d743547", "name": "China Hackers Launch Stealth Linux Attacks with SNOWLIGHT and VShell", "description": "A China-linked threat actor, tracked as UNC5174, has launched a new campaign using a variant of the SNOWLIGHT malware and a remote access trojan known as VShell to compromise Linux systems. The group is leveraging open-source tools to reduce costs, blend in with less advanced attackers, and evade detection.", "modified": "2025-05-16T09:01:05.301000", "created": "2025-04-16T09:46:02.608000", "tags": [ "vshell", "unc5174", "snowlight", "code language", "perl", "november", "address34", "mandiant", "march", "cobalt strike", "sliver", "telegram", "downloader", "summer", "macos", "virustotal", "february", "strings", "trojan", "generator" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 10, "YARA": 1, "domain": 18, "hostname": 17 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67feed521c3dc814c01f8642", "name": "InQuest - 15-04-2025", "description": "", "modified": "2025-05-15T23:00:16.595000", "created": "2025-04-15T23:35:46.230000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "FileHash-SHA256": 505, "FileHash-MD5": 59, "hostname": 120, "domain": 141, "FileHash-SHA1": 26 }, "indicator_count": 1395, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6800736fc3c0e6a4840d5ec6", "name": "IOC&TTP - UNC5174\u2019s evolution in China\u2019s ongoing cyber warfare From SNOWLIGHT to VShell", "description": "\u5728\u6f5c\u4f0f\u8fd1\u4e00\u5e74\u7684\u65f6\u95f4\u540e\uff0c\u5a01\u80c1\u60c5\u62a5\u7814\u7a76\u56e2\u961f\uff08TRT\uff09\u53d1\u73b0\u4e86\u4e00\u4e2a\u7531\u4e2d\u56fd\u56fd\u5bb6\u652f\u6301\u7684\u653b\u51fb\u7ec4\u7ec7 UNC5174 \u53d1\u8d77\u7684\u65b0\u653b\u51fb\u884c\u52a8\u3002\u8be5\u7ec4\u7ec7\u5728 2025 \u5e74 1 \u6708\u4e0b\u65ec\u5f00\u59cb\u4f7f\u7528\u4e00\u6b3e\u65b0\u7684\u5f00\u6e90\u8fdc\u7a0b\u8bbf\u95ee\u6728\u9a6c\uff08RAT\uff09\u4e0e\u5168\u65b0\u57df\u540d\u57fa\u7840\u8bbe\u65bd\u3002\u7814\u7a76\u4eba\u5458\u9996\u5148\u53d1\u73b0\u4e86\u4e00\u4e2a\u6076\u610f\u7684 bash \u811a\u672c\uff0c\u8d1f\u8d23\u4e0b\u8f7d\u5e76\u5b89\u88c5\u591a\u4e2a\u6076\u610f\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u4ee5\u8fbe\u6210\u6301\u4e45\u5316\u76ee\u7684\u3002\u5176\u4e2d\u4e00\u4e2a\u4e0b\u8f7d\u7684\u53ef\u6267\u884c\u6587\u4ef6\u662f UNC5174 \u66fe\u5728\u65e9\u671f\u884c\u52a8\u4e2d\u90e8\u7f72\u7684\u201cSNOWLIGHT\u201d\u6076\u610f\u7a0b\u5e8f\uff0c\u540e\u7eed\u4f1a\u5728\u5185\u5b58\u4e2d\u6ce8\u5165\u4e00\u6b3e\u540d\u4e3a VShell \u7684\u65b0\u578b RAT\u3002VShell \u5728\u5730\u4e0b\u8bba\u575b\u4e2d\u9887\u53d7\u5173\u6ce8\uff0c\u5c24\u5176\u5728\u4e2d\u6587\u793e\u533a\u88ab\u89c6\u4e3a\u201c\u6bd4\u77e5\u540d\u7684 Cobalt Strike \u6846\u67b6\u66f4\u4f18\u79c0\u201d\u7684\u5de5\u5177\u3002\u901a\u8fc7\u8ffd\u8e2a\u5e76\u5bf9\u6bd4\u6b64\u524d\u76f8\u5173\u62a5\u544a\uff0c\u7814\u7a76\u4eba\u5458\u786e\u8ba4 UNC5174 \u5728\u672c\u6b21\u884c\u52a8\u4e2d\u4f7f\u7528\u4e86\u66f4\u7cbe\u5de7\u7684\u653b\u9632\u624b\u6bb5\uff0c\u5305\u62ec WebSockets \u4f5c\u4e3a\u547d\u4ee4\u4e0e\u63a7\u5236\uff08C2\uff09\u4fe1\u9053\uff0c\u5e76\u5229\u7528\u201c\u65e0\u6587\u4ef6\u201d\u5316\u8f7d\u8377\uff08fileless payload\uff09\u6765\u89c4\u907f\u68c0\u6d4b\u3002\u7ed3\u5408 UNC5174 \u5386\u6765\u7684\u884c\u52a8\u7279\u5f81\uff0c\u7814\u7a76\u8ba4\u4e3a\u8be5\u7ec4\u7ec7\u7684\u4e3b\u8981\u52a8\u673a\u53ef\u80fd\u5305\u62ec\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\u4ee5\u53ca\u5bf9\u5916\u51fa\u552e\u6216\u8f6c\u8ba9\u5165\u4fb5\u540e\u53d6\u5f97\u7684\u8bbf\u95ee\u6743\u9650\u3002\u56e2\u961f\u7531\u6b64\u5224\u65ad\uff0c\u8be5\u7ec4\u7ec7\u5c06\u7ee7\u7eed\u652f\u6301\u4e2d\u56fd\u653f\u5e9c\u5728\u7f51\u7edc\u9886\u57df\u7684\u60c5\u62a5\u6536\u96c6\u548c\u6f5c\u5728\u5f71\u54cd\u6d3b\u52a8\uff0c\u5e76\u53ef\u80fd\u4e0d\u65ad\u6269\u5145\u81ea\u8eab\u7684\u5b9a\u5236\u5316\u6216\u5f00\u6e90\u5316\u5de5\u5177\u7ec4\u5408\u6765\u9690\u533f\u8eab\u4efd\u3001\u7ef4\u6301\u957f\u4e45\u8bbf\u95ee\u3002", "modified": "2025-04-17T03:20:28.219000", "created": "2025-04-17T03:20:15.824000", "tags": [ "china", "sliver", "snowlight", "linux", "vshell" ], "references": [ "https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell" ], "public": 1, "adversary": "UNC5174", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Healthcare", "Technology" ], "TLP": "white", "cloned_from": "67ffc3f9b45a8daa24fcb4fe", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 5, "hostname": 12 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "412 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a8d0e4ce290033a1c68d51", "name": "SuperShell C2", "description": "", "modified": "2025-03-11T15:02:54.145000", "created": "2025-02-09T15:59:32.982000", "tags": [ "c2", "supershell" ], "references": [ "https://x.com/BlinkzSec/status/1888538690755891618", "https://privatebin.net/?e079e8c49cd7d2ae#4tbWnxqfdvNjWrStv4NtrWFr76AMzQt2LMCxGzVqqKie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 3 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ciscocdn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ciscocdn.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://ciscocdn.com:8888/supershell/compile/download/n", "status": "offline", "threat": "malware_download", "date_added": "2024-08-03", "tags": [ "ReverseSSH", "supershell-c2" ] }, { "url": "http://ciscocdn.com:8888/supershell/compile/download/x64", "status": "offline", "threat": "malware_download", "date_added": "2024-08-03", "tags": [ "supershell", "supershell-c2" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780462534.8503118 }