{ "type": "Domain", "indicator": "cloudgoogle.co", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudgoogle.co", "alexa": "http://www.alexa.com/siteinfo/cloudgoogle.co", "indicator": "cloudgoogle.co", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3419089159, "indicator": "cloudgoogle.co", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "624f0d6039be61f29b5f463c", "name": "Adversarial Threat Report - April 2022", "description": "Cyber espionage actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts. Researchers identified a group of hackers from Iran, known in the security industry as UNC788, that targeted people in the Middle East, including Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the US, and Iran-focused academics, activists and journalists around the world.", "modified": "2022-04-07T16:12:15.720000", "created": "2022-04-07T16:12:15.720000", "tags": [ "HilalRAT", "Meta", "Facebook", "NGOs", "Geopolitical conflict", "UNC788", "VMware" ], "references": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" ], "public": 1, "adversary": "UNC788", "targeted_countries": [ "United States of America", "Canada", "Germany", "United Arab Emirates", "Norway", "Iceland", "Israel", "India", "Azerbaijan", "Saudi Arabia", "Brazil", "Ukraine", "Nigeria", "Cameroon", "Gambia", "Zimbabwe", "Congo" ], "malware_families": [ { "id": "HilalRAT", "display_name": "HilalRAT", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Energy", "Finance", "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 292, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 57, "hostname": 10 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 386555, "modified_text": "1515 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6260576f481e853fdedd5b2c", "name": "TA455 from Iran", "description": "Facebook/Meta took action against a previously unreported hacking group from Iran that targeted or\nspoofed companies in multiple industries around the world. This included energy companies in\nSaudi Arabia, Canada, Italy, and Russia; the information technology industry in India and United\nArab Emirates; the maritime logistics industry in UAE, Iceland, Norway, Saudi Arabia, US, Israel, \nand India; telecommunications companies in Saudi Arabia and UAE; and the semiconductor\nindustry in Israel, US, and Germany. This group used similar TTPs to another threat actor dubbed Tortoiseshell that we reported on\nlast year, but in this case we saw different targeting, technical infrastructure, and distinct\nmalware.", "modified": "2022-04-20T18:56:47.303000", "created": "2022-04-20T18:56:47.303000", "tags": [ "domains" ], "references": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", "https://twitter.com/ChicagoCyber/status/1512084888127561738" ], "public": 1, "adversary": "TA455", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 167, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "343GuiltySpark", "id": "91492", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91492/resized/80/avatar_b7653559df.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6, "domain": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 559, "modified_text": "1501 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", "https://twitter.com/ChicagoCyber/status/1512084888127561738" ], "related": { "alienvault": { "adversary": [ "UNC788" ], "malware_families": [ "Hilalrat" ], "industries": [ "Government", "Energy", "Ngo", "Finance" ] }, "other": { "adversary": [ "TA455" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "624f0d6039be61f29b5f463c", "name": "Adversarial Threat Report - April 2022", "description": "Cyber espionage actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts. Researchers identified a group of hackers from Iran, known in the security industry as UNC788, that targeted people in the Middle East, including Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the US, and Iran-focused academics, activists and journalists around the world.", "modified": "2022-04-07T16:12:15.720000", "created": "2022-04-07T16:12:15.720000", "tags": [ "HilalRAT", "Meta", "Facebook", "NGOs", "Geopolitical conflict", "UNC788", "VMware" ], "references": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf" ], "public": 1, "adversary": "UNC788", "targeted_countries": [ "United States of America", "Canada", "Germany", "United Arab Emirates", "Norway", "Iceland", "Israel", "India", "Azerbaijan", "Saudi Arabia", "Brazil", "Ukraine", "Nigeria", "Cameroon", "Gambia", "Zimbabwe", "Congo" ], "malware_families": [ { "id": "HilalRAT", "display_name": "HilalRAT", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1017", "name": "Application Deployment Software", "display_name": "T1017 - Application Deployment Software" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Energy", "Finance", "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 292, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 57, "hostname": 10 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 386555, "modified_text": "1515 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6260576f481e853fdedd5b2c", "name": "TA455 from Iran", "description": "Facebook/Meta took action against a previously unreported hacking group from Iran that targeted or\nspoofed companies in multiple industries around the world. This included energy companies in\nSaudi Arabia, Canada, Italy, and Russia; the information technology industry in India and United\nArab Emirates; the maritime logistics industry in UAE, Iceland, Norway, Saudi Arabia, US, Israel, \nand India; telecommunications companies in Saudi Arabia and UAE; and the semiconductor\nindustry in Israel, US, and Germany. This group used similar TTPs to another threat actor dubbed Tortoiseshell that we reported on\nlast year, but in this case we saw different targeting, technical infrastructure, and distinct\nmalware.", "modified": "2022-04-20T18:56:47.303000", "created": "2022-04-20T18:56:47.303000", "tags": [ "domains" ], "references": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", "https://twitter.com/ChicagoCyber/status/1512084888127561738" ], "public": 1, "adversary": "TA455", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 167, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "343GuiltySpark", "id": "91492", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91492/resized/80/avatar_b7653559df.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6, "domain": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 559, "modified_text": "1501 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudgoogle.co", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudgoogle.co", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780246508.432729 }