{ "type": "Domain", "indicator": "codeaddon.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codeaddon.net", "alexa": "http://www.alexa.com/siteinfo/codeaddon.net", "indicator": "codeaddon.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3382167227, "indicator": "codeaddon.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6700f9d1802d01e39f333f05", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finance and healthcare), RussianSite (over 100 domains sharing a Russian nameserver), 8NS (domains with 8 NS records), and NSfinder (domains combining words ending in 'finder'). The campaigns exploit DNS protocol vulnerabilities to establish covert communication channels for data exfiltration and infiltration. Common attributes within campaigns include shared infrastructure, DNS configurations, payload encoding methods, domain registration patterns, and attack targets. The monitoring system has been implemented in Palo Alto Networks' Advanced DNS Security service to provide enhanced protection against emerging DNS tunneling threats.", "modified": "2024-11-04T08:04:26.249000", "created": "2024-10-05T08:33:21.591000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386563, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762b6459e2d7a67412e1707", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "", "modified": "2024-12-18T11:47:17.892000", "created": "2024-12-18T11:47:17.892000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": "6762b5fad9152eaacc3e92a4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "529 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762b5fad9152eaacc3e92a4", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "", "modified": "2024-12-18T11:46:02.625000", "created": "2024-12-18T11:46:02.625000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": "6700f9d1802d01e39f333f05", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "529 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670d150169ad6ecc7b41b241", "name": "The Everyman Threat Feed", "description": "", "modified": "2024-11-22T17:02:43.253000", "created": "2024-10-14T12:56:33.350000", "tags": [ "Malware", "Phishing", "Threat Feed", "IOCs" ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jrussell183", "id": "134208", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72, "hostname": 54, "URL": 88, "FileHash-MD5": 1 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6706c9b862faac09c97315ad", "name": "Hackers Utilizing DNS Tunneling Services To Bypass Network Firewalls", "description": "", "modified": "2024-11-08T18:05:48.943000", "created": "2024-10-09T18:21:44.943000", "tags": [ "hashes", "sha256", "domains", "cyber", "threat", "october", "time", "crypto cyber", "defence", "classification" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670650cfd5d0aa5e54265e25", "name": "Hackers Exploiting DNS Tunneling Service To Bypass Network Firewalls", "description": "DNS tunneling is a hacking technique that hides information by taking advantage of the DNS protocol. This attack enables threat actors to evade firewalls and security measures.", "modified": "2024-11-08T09:02:06.888000", "created": "2024-10-09T09:45:51.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67050ef5d10c16b9efb39b9c", "name": "DNS Tunneling - The Hidden Threat Exploited by Cyberattackers", "description": "", "modified": "2024-11-07T10:01:55.660000", "created": "2024-10-08T10:52:37.581000", "tags": [ "soupandselfcare" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6703c8dc6e6270cc4131d5d4", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "Palo Alto Networks has developed a service that can identify and block new, potentially malicious campaigns using DNS tunneling techniques, as part of its ongoing research into cyberattackers' use of the internet infrastructure.", "modified": "2024-11-06T11:02:27.718000", "created": "2024-10-07T11:41:16.900000", "tags": [ "ip address", "palo alto", "unit", "dns tunneling", "russiansite", "nsfinder", "cobalt strike", "advanced dns", "hiloti family", "tunneling", "oilrig", "icedid", "attack", "alliance", "malware", "virustotal", "redline stealer", "trojan" ], "references": [ "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" } ], "industries": [ "Finance", "Medical", "Critical Infrastructure", "Government", "Banking", "Healthcare", "Higher Education", "Health", "High Tech", "Education", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 24, "hostname": 114, "URL": 1 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62149c89ca8a451ac48b3676", "name": "NewDom-1-20220222", "description": "ICANN-Dom", "modified": "2022-04-08T00:05:40.239000", "created": "2022-02-22T08:19:21.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Hiloti", "Icedid - s0483", "Redline stealer", "Cobalt strike - s0154" ], "industries": [ "Manufacturing", "Government", "Finance", "Technology", "Education", "Healthcare" ] }, "other": { "adversary": [], "malware_families": [ "Redline stealer", "Cobalt strike - s0154", "Icedid - s0483", "Cobalt strike", "Hiloti" ], "industries": [ "Medical", "Manufacturing", "Health", "Higher education", "Government", "Finance", "Critical infrastructure", "Banking", "Technology", "Education", "Healthcare", "High tech" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6700f9d1802d01e39f333f05", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finance and healthcare), RussianSite (over 100 domains sharing a Russian nameserver), 8NS (domains with 8 NS records), and NSfinder (domains combining words ending in 'finder'). The campaigns exploit DNS protocol vulnerabilities to establish covert communication channels for data exfiltration and infiltration. Common attributes within campaigns include shared infrastructure, DNS configurations, payload encoding methods, domain registration patterns, and attack targets. The monitoring system has been implemented in Palo Alto Networks' Advanced DNS Security service to provide enhanced protection against emerging DNS tunneling threats.", "modified": "2024-11-04T08:04:26.249000", "created": "2024-10-05T08:33:21.591000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386563, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762b6459e2d7a67412e1707", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "", "modified": "2024-12-18T11:47:17.892000", "created": "2024-12-18T11:47:17.892000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": "6762b5fad9152eaacc3e92a4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "529 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762b5fad9152eaacc3e92a4", "name": "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection", "description": "", "modified": "2024-12-18T11:46:02.625000", "created": "2024-12-18T11:46:02.625000", "tags": [ "dns tunneling", "data exfiltration", "cobalt strike", "russiansite", "nsfinder", "redline stealer", "8ns", "covert communications", "hiloti", "icedid", "finhealthxds" ], "references": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/08_DNS_Overview_1920x900.jpg", "https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Hiloti", "display_name": "Hiloti", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "RedLine stealer", "display_name": "RedLine stealer", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Finance", "Healthcare", "Education", "Government", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": "6700f9d1802d01e39f333f05", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 22 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "529 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670d150169ad6ecc7b41b241", "name": "The Everyman Threat Feed", "description": "", "modified": "2024-11-22T17:02:43.253000", "created": "2024-10-14T12:56:33.350000", "tags": [ "Malware", "Phishing", "Threat Feed", "IOCs" ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jrussell183", "id": "134208", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72, "hostname": 54, "URL": 88, "FileHash-MD5": 1 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6706c9b862faac09c97315ad", "name": "Hackers Utilizing DNS Tunneling Services To Bypass Network Firewalls", "description": "", "modified": "2024-11-08T18:05:48.943000", "created": "2024-10-09T18:21:44.943000", "tags": [ "hashes", "sha256", "domains", "cyber", "threat", "october", "time", "crypto cyber", "defence", "classification" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670650cfd5d0aa5e54265e25", "name": "Hackers Exploiting DNS Tunneling Service To Bypass Network Firewalls", "description": "DNS tunneling is a hacking technique that hides information by taking advantage of the DNS protocol. This attack enables threat actors to evade firewalls and security measures.", "modified": "2024-11-08T09:02:06.888000", "created": "2024-10-09T09:45:51.581000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 20 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67050ef5d10c16b9efb39b9c", "name": "DNS Tunneling - The Hidden Threat Exploited by Cyberattackers", "description": "", "modified": "2024-11-07T10:01:55.660000", "created": "2024-10-08T10:52:37.581000", "tags": [ "soupandselfcare" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "570 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codeaddon.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codeaddon.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780255757.2630177 }