{ "type": "Domain", "indicator": "code-afsanalytics.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/code-afsanalytics.com", "alexa": "http://www.alexa.com/siteinfo/code-afsanalytics.com", "indicator": "code-afsanalytics.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2962777409, "indicator": "code-afsanalytics.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6194c2377054cd0b3046ca6c", "name": "Strategic web compromises in the Middle East with a pinch of Candiru", "description": "The first wave of attacks on high-profile websites in the Middle East started in April 2020, and went quiet until January 2021, according to researchers, who have uncovered links with a private Israeli spyware firm.", "modified": "2024-05-29T17:49:15.671000", "created": "2021-11-17T08:49:58.619000", "tags": [ "candiru", "karkadann", "javascript", "middle east", "vba macro" ], "references": [ "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" ], "public": 1, "adversary": "Candiru", "targeted_countries": [ "Uzbekistan", "Russian Federation", "Albania", "Armenia", "Yemen" ], "malware_families": [ { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "Karkadann", "display_name": "Karkadann", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Medical", "Government", "Tech", "Media", "Finance", "Electricity", "Foreign Affairs", "Aerospace", "Embassy" ], "TLP": "white", "cloned_from": null, "export_count": 333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "URL": 8, "domain": 38 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386876, "modified_text": "733 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863c9691aecb6c01963ffa0", "name": "Iranian APT Actors-Pt1", "description": "", "modified": "2025-07-31T11:02:12.428000", "created": "2025-07-01T11:41:28.230000", "tags": [], "references": [ "IOCs2.pdf" ], "public": 1, "adversary": "Yellow Liderc, APT34, Void Manticore", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 129, "FileHash-MD5": 135, "FileHash-SHA1": 139, "FileHash-SHA256": 167, "CVE": 8, "domain": 323, "hostname": 71 }, "indicator_count": 972, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef086bb01eb6f30b8597", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:36.624000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef09a21dc287daf71a1d", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:37.702000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65699d274c86d8025b6b5938", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-01T08:45:27.066000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "654eef09a21dc287daf71a1d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656a96c4f39ec3cdc99278cb", "name": "Imperial Kitten APT Claws at Israeli Industry [Created by Cryptocti]", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-12-02T02:30:28.464000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": "65699d274c86d8025b6b5938", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/", "APT-Israel.pdf", "IOCs2.pdf", "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true" ], "related": { "alienvault": { "adversary": [ "Candiru" ], "malware_families": [ "Candiru", "Karkadann" ], "industries": [ "Embassy", "Foreign affairs", "Medical", "Tech", "Aerospace", "Government", "Finance", "Media", "Electricity" ] }, "other": { "adversary": [ "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "Yellow Liderc, APT34, Void Manticore", "Imperial Kitten" ], "malware_families": [ "Android", "Imaploader", "Python", "Kamran", "Candiru", "Karkadann" ], "industries": [ "Energy", "Electricity", "Defense", "Foreign affairs", "Maritime", "Tech", "Aerospace", "Logistics", "Medical", "Telecommunications", "Consulting", "Technology", "Government", "Finance", "Transportation", "Media", "Embassy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6194c2377054cd0b3046ca6c", "name": "Strategic web compromises in the Middle East with a pinch of Candiru", "description": "The first wave of attacks on high-profile websites in the Middle East started in April 2020, and went quiet until January 2021, according to researchers, who have uncovered links with a private Israeli spyware firm.", "modified": "2024-05-29T17:49:15.671000", "created": "2021-11-17T08:49:58.619000", "tags": [ "candiru", "karkadann", "javascript", "middle east", "vba macro" ], "references": [ "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/" ], "public": 1, "adversary": "Candiru", "targeted_countries": [ "Uzbekistan", "Russian Federation", "Albania", "Armenia", "Yemen" ], "malware_families": [ { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "Karkadann", "display_name": "Karkadann", "target": null } ], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Medical", "Government", "Tech", "Media", "Finance", "Electricity", "Foreign Affairs", "Aerospace", "Embassy" ], "TLP": "white", "cloned_from": null, "export_count": 333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "URL": 8, "domain": 38 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 386876, "modified_text": "733 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6865117ef69a048ce6a4d04e", "name": "Israel APT actors", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-07-02T11:01:18.401000", "tags": [], "references": [ "APT-Israel.pdf" ], "public": 1, "adversary": "Caramel Tsunami, Candiru, Gonjeshke Darande, Predatory Sparrow, Phlox Tempest, Carmine Tsunami, DEEV", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 34, "FileHash-SHA256": 34, "URL": 3, "domain": 405 }, "indicator_count": 510, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863c9691aecb6c01963ffa0", "name": "Iranian APT Actors-Pt1", "description": "", "modified": "2025-07-31T11:02:12.428000", "created": "2025-07-01T11:41:28.230000", "tags": [], "references": [ "IOCs2.pdf" ], "public": 1, "adversary": "Yellow Liderc, APT34, Void Manticore", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 129, "FileHash-MD5": 135, "FileHash-SHA1": 139, "FileHash-SHA256": 167, "CVE": 8, "domain": 323, "hostname": 71 }, "indicator_count": 972, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef086bb01eb6f30b8597", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:36.624000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654eef09a21dc287daf71a1d", "name": "Imperial Kitten APT Claws at Israeli Industry", "description": "", "modified": "2023-12-11T03:01:57.646000", "created": "2023-11-11T03:03:37.702000", "tags": [ "attacks-breaches", "dr-global", "middle-east-and-africa", "iran", "crowdstrike", "imperial kitten", "yellow liderc", "tortoiseshell", "ta456", "it service", "web compromise", "microsoft excel", "paexec utility", "unknown", "c server", "candiru", "figure", "watering hole", "middle east", "strong", "javascript code", "citizen lab", "eset research", "first", "april", "august", "cluster", "virustotal", "mozi", "tips", "back", "twitter", "june", "middle", "armenia", "albania", "comment", "malware", "target", "karkadann", "kamran", "android", "imaploader", "sha256 hash", "computers", "ip address", "discord", "kitten", "uuid", "intelligence", "paexec", "python", "sugarrush", "later", "netscan", "procdump", "icmp", "deploys novel" ], "references": [ "https://www.darkreading.com/dr-global/imperial-kitten-israeli-industry-multiyear-spy-effort?&web_view=true", "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", "https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/" ], "public": 1, "adversary": "Imperial Kitten", "targeted_countries": [ "Yemen" ], "malware_families": [ { "id": "Karkadann", "display_name": "Karkadann", "target": null }, { "id": "Kamran", "display_name": "Kamran", "target": null }, { "id": "Android", "display_name": "Android", "target": null }, { "id": "Candiru", "display_name": "Candiru", "target": null }, { "id": "IMAPLoader", "display_name": "IMAPLoader", "target": null }, { "id": "Python", "display_name": "Python", "target": null } ], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Transportation", "Technology", "Logistics", "Maritime", "Embassy", "Aerospace", "Foreign Affairs", "Electricity", "Finance", "Media", "Tech", "Government", "Medical", "Defense", "Telecommunications", "Energy", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 8, "domain": 68, "hostname": 3, "email": 2 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "904 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "code-afsanalytics.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "code-afsanalytics.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780397733.7481234 }