{ "type": "Domain", "indicator": "codepool.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codepool.cloud", "alexa": "http://www.alexa.com/siteinfo/codepool.cloud", "indicator": "codepool.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4138209956, "indicator": "codepool.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69dd073f50edefa3e44adec6", "name": "Fake recruiter campaign targets crypto developers with RAT", "description": "A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.", "modified": "2026-04-13T15:58:25.756000", "created": "2026-04-13T15:09:51.370000", "tags": [ "netstruct", "bigmathlib", "graphrix", "terminal-kleur", "bignum", "pypi packages", "graphorbit", "graphnetworkx", "bigmathix", "fake recruitment", "graphalgo", "graphnode", "bignumx", "graphlibx", "graphflowx", "bignumberx", "npm packages", "bignumex", "graphhub", "javascript developers", "graphlink", "graphdict", "supply chain attack", "cryptocurrency targeting", "graphflux", "graphlibcore", "graphnet", "graphsync", "bigmathex", "graphkitx", "graphex", "graphchain", "bigmathutils", "bigpyx", "north korea", "blockchain", "terminalcolor256", "python developers" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "graphalgo", "display_name": "graphalgo", "target": null }, { "id": "bigmathutils", "display_name": "bigmathutils", "target": null }, { "id": "graphnetworkx", "display_name": "graphnetworkx", "target": null }, { "id": "graphlibcore", "display_name": "graphlibcore", "target": null }, { "id": "netstruct", "display_name": "netstruct", "target": null }, { "id": "terminalcolor256", "display_name": "terminalcolor256", "target": null }, { "id": "graphkitx", "display_name": "graphkitx", "target": null }, { "id": "graphchain", "display_name": "graphchain", "target": null }, { "id": "graphflux", "display_name": "graphflux", "target": null }, { "id": "graphorbit", "display_name": "graphorbit", "target": null }, { "id": "graphnet", "display_name": "graphnet", "target": null }, { "id": "graphhub", "display_name": "graphhub", "target": null }, { "id": "terminal-kleur", "display_name": "terminal-kleur", "target": null }, { "id": "graphrix", "display_name": "graphrix", "target": null }, { "id": "bignumx", "display_name": "bignumx", "target": null }, { "id": "bignumberx", "display_name": "bignumberx", "target": null }, { "id": "bignumex", "display_name": "bignumex", "target": null }, { "id": "bigmathex", "display_name": "bigmathex", "target": null }, { "id": "bigmathlib", "display_name": "bigmathlib", "target": null }, { "id": "bigmathix", "display_name": "bigmathix", "target": null }, { "id": "graphlink", "display_name": "graphlink", "target": null }, { "id": "graphflowx", "display_name": "graphflowx", "target": null }, { "id": "graphex", "display_name": "graphex", "target": null }, { "id": "graphlibx", "display_name": "graphlibx", "target": null }, { "id": "graphdict", "display_name": "graphdict", "target": null }, { "id": "graphnode", "display_name": "graphnode", "target": null }, { "id": "graphsync", "display_name": "graphsync", "target": null }, { "id": "bigpyx", "display_name": "bigpyx", "target": null }, { "id": "bignum", "display_name": "bignum", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 60, "FileHash-SHA1": 195, "FileHash-SHA256": 60, "domain": 3, "hostname": 1 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-05-01T00:01:44.921000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69ddc26e2242465c54a3b00e", "name": "Fake recruiter campaign targets crypto developers with RAT", "description": "", "modified": "2026-04-14T04:28:30.452000", "created": "2026-04-14T04:28:30.452000", "tags": [ "netstruct", "bigmathlib", "graphrix", "terminal-kleur", "bignum", "pypi packages", "graphorbit", "graphnetworkx", "bigmathix", "fake recruitment", "graphalgo", "graphnode", "bignumx", "graphlibx", "graphflowx", "bignumberx", "npm packages", "bignumex", "graphhub", "javascript developers", "graphlink", "graphdict", "supply chain attack", "cryptocurrency targeting", "graphflux", "graphlibcore", "graphnet", "graphsync", "bigmathex", "graphkitx", "graphex", "graphchain", "bigmathutils", "bigpyx", "north korea", "blockchain", "terminalcolor256", "python developers" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "graphalgo", "display_name": "graphalgo", "target": null }, { "id": "bigmathutils", "display_name": "bigmathutils", "target": null }, { "id": "graphnetworkx", "display_name": "graphnetworkx", "target": null }, { "id": "graphlibcore", "display_name": "graphlibcore", "target": null }, { "id": "netstruct", "display_name": "netstruct", "target": null }, { "id": "terminalcolor256", "display_name": "terminalcolor256", "target": null }, { "id": "graphkitx", "display_name": "graphkitx", "target": null }, { "id": "graphchain", "display_name": "graphchain", "target": null }, { "id": "graphflux", "display_name": "graphflux", "target": null }, { "id": "graphorbit", "display_name": "graphorbit", "target": null }, { "id": "graphnet", "display_name": "graphnet", "target": null }, { "id": "graphhub", "display_name": "graphhub", "target": null }, { "id": "terminal-kleur", "display_name": "terminal-kleur", "target": null }, { "id": "graphrix", "display_name": "graphrix", "target": null }, { "id": "bignumx", "display_name": "bignumx", "target": null }, { "id": "bignumberx", "display_name": "bignumberx", "target": null }, { "id": "bignumex", "display_name": "bignumex", "target": null }, { "id": "bigmathex", "display_name": "bigmathex", "target": null }, { "id": "bigmathlib", "display_name": "bigmathlib", "target": null }, { "id": "bigmathix", "display_name": "bigmathix", "target": null }, { "id": "graphlink", "display_name": "graphlink", "target": null }, { "id": "graphflowx", "display_name": "graphflowx", "target": null }, { "id": "graphex", "display_name": "graphex", "target": null }, { "id": "graphlibx", "display_name": "graphlibx", "target": null }, { "id": "graphdict", "display_name": "graphdict", "target": null }, { "id": "graphnode", "display_name": "graphnode", "target": null }, { "id": "graphsync", "display_name": "graphsync", "target": null }, { "id": "bigpyx", "display_name": "bigpyx", "target": null }, { "id": "bignum", "display_name": "bignum", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69dd073f50edefa3e44adec6", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 60, "FileHash-SHA1": 195, "FileHash-SHA256": 60, "domain": 3, "hostname": 1 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fb8581536b5d49a60ce56", "name": "Graphalgo Fake Recruiter Supply-Chain Campaign Delivering Multi-Language RAT via OSS Repositories", "description": "", "modified": "2026-02-13T23:48:37.638000", "created": "2026-02-13T23:48:37.638000", "tags": [ "domain", "hashmd5", "hashsha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "105 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e8944dfe02739539fa5b7", "name": "IOC - Fake recruiter campaign targets crypto devs", "description": "The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group. The campaign, which the team named graphalgo, based on the first package included in this campaign in the npm repository, has been active since the beginning of May 2025. It is a coordinated campaign targeting both Javascript and Python developers with cryptocurrency-related fake recruiter tasks.", "modified": "2026-02-13T02:15:32.584000", "created": "2026-02-13T02:15:32.584000", "tags": [ "pypi", "pypi graphdict", "pypi graphalgo", "pypi graphlibx", "pypi bignum", "final rat", "file type", "sha1 python", "pypi graphex", "pypi graphflux" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 195, "FileHash-SHA256": 25, "domain": 2 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "106 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "related": { "alienvault": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Graphsync", "Terminalcolor256", "Netstruct", "Graphalgo", "Graphdict", "Graphchain", "Graphex", "Graphhub", "Bigmathex", "Bigmathlib", "Bignumberx", "Graphorbit", "Bignum", "Graphnet", "Graphlibcore", "Graphlibx", "Bigpyx", "Graphkitx", "Graphlink", "Graphflux", "Bignumx", "Terminal-kleur", "Bigmathix", "Bignumex", "Graphnetworkx", "Graphrix", "Graphflowx", "Bigmathutils", "Graphnode" ], "industries": [ "Technology" ] }, "other": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Graphsync", "Terminalcolor256", "Netstruct", "Graphalgo", "Graphdict", "Graphchain", "Graphex", "Graphhub", "Bigmathex", "Bigmathlib", "Bignumberx", "Graphorbit", "Bignum", "Graphnet", "Graphlibcore", "Graphlibx", "Bigpyx", "Graphkitx", "Graphlink", "Graphflux", "Bignumx", "Terminal-kleur", "Bigmathix", "Bignumex", "Graphnetworkx", "Graphrix", "Graphflowx", "Bigmathutils", "Graphnode" ], "industries": [ "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69dd073f50edefa3e44adec6", "name": "Fake recruiter campaign targets crypto developers with RAT", "description": "A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.", "modified": "2026-04-13T15:58:25.756000", "created": "2026-04-13T15:09:51.370000", "tags": [ "netstruct", "bigmathlib", "graphrix", "terminal-kleur", "bignum", "pypi packages", "graphorbit", "graphnetworkx", "bigmathix", "fake recruitment", "graphalgo", "graphnode", "bignumx", "graphlibx", "graphflowx", "bignumberx", "npm packages", "bignumex", "graphhub", "javascript developers", "graphlink", "graphdict", "supply chain attack", "cryptocurrency targeting", "graphflux", "graphlibcore", "graphnet", "graphsync", "bigmathex", "graphkitx", "graphex", "graphchain", "bigmathutils", "bigpyx", "north korea", "blockchain", "terminalcolor256", "python developers" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "graphalgo", "display_name": "graphalgo", "target": null }, { "id": "bigmathutils", "display_name": "bigmathutils", "target": null }, { "id": "graphnetworkx", "display_name": "graphnetworkx", "target": null }, { "id": "graphlibcore", "display_name": "graphlibcore", "target": null }, { "id": "netstruct", "display_name": "netstruct", "target": null }, { "id": "terminalcolor256", "display_name": "terminalcolor256", "target": null }, { "id": "graphkitx", "display_name": "graphkitx", "target": null }, { "id": "graphchain", "display_name": "graphchain", "target": null }, { "id": "graphflux", "display_name": "graphflux", "target": null }, { "id": "graphorbit", "display_name": "graphorbit", "target": null }, { "id": "graphnet", "display_name": "graphnet", "target": null }, { "id": "graphhub", "display_name": "graphhub", "target": null }, { "id": "terminal-kleur", "display_name": "terminal-kleur", "target": null }, { "id": "graphrix", "display_name": "graphrix", "target": null }, { "id": "bignumx", "display_name": "bignumx", "target": null }, { "id": "bignumberx", "display_name": "bignumberx", "target": null }, { "id": "bignumex", "display_name": "bignumex", "target": null }, { "id": "bigmathex", "display_name": "bigmathex", "target": null }, { "id": "bigmathlib", "display_name": "bigmathlib", "target": null }, { "id": "bigmathix", "display_name": "bigmathix", "target": null }, { "id": "graphlink", "display_name": "graphlink", "target": null }, { "id": "graphflowx", "display_name": "graphflowx", "target": null }, { "id": "graphex", "display_name": "graphex", "target": null }, { "id": "graphlibx", "display_name": "graphlibx", "target": null }, { "id": "graphdict", "display_name": "graphdict", "target": null }, { "id": "graphnode", "display_name": "graphnode", "target": null }, { "id": "graphsync", "display_name": "graphsync", "target": null }, { "id": "bigpyx", "display_name": "bigpyx", "target": null }, { "id": "bignum", "display_name": "bignum", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 60, "FileHash-SHA1": 195, "FileHash-SHA256": 60, "domain": 3, "hostname": 1 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-05-01T00:01:44.921000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69ddc26e2242465c54a3b00e", "name": "Fake recruiter campaign targets crypto developers with RAT", "description": "", "modified": "2026-04-14T04:28:30.452000", "created": "2026-04-14T04:28:30.452000", "tags": [ "netstruct", "bigmathlib", "graphrix", "terminal-kleur", "bignum", "pypi packages", "graphorbit", "graphnetworkx", "bigmathix", "fake recruitment", "graphalgo", "graphnode", "bignumx", "graphlibx", "graphflowx", "bignumberx", "npm packages", "bignumex", "graphhub", "javascript developers", "graphlink", "graphdict", "supply chain attack", "cryptocurrency targeting", "graphflux", "graphlibcore", "graphnet", "graphsync", "bigmathex", "graphkitx", "graphex", "graphchain", "bigmathutils", "bigpyx", "north korea", "blockchain", "terminalcolor256", "python developers" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "graphalgo", "display_name": "graphalgo", "target": null }, { "id": "bigmathutils", "display_name": "bigmathutils", "target": null }, { "id": "graphnetworkx", "display_name": "graphnetworkx", "target": null }, { "id": "graphlibcore", "display_name": "graphlibcore", "target": null }, { "id": "netstruct", "display_name": "netstruct", "target": null }, { "id": "terminalcolor256", "display_name": "terminalcolor256", "target": null }, { "id": "graphkitx", "display_name": "graphkitx", "target": null }, { "id": "graphchain", "display_name": "graphchain", "target": null }, { "id": "graphflux", "display_name": "graphflux", "target": null }, { "id": "graphorbit", "display_name": "graphorbit", "target": null }, { "id": "graphnet", "display_name": "graphnet", "target": null }, { "id": "graphhub", "display_name": "graphhub", "target": null }, { "id": "terminal-kleur", "display_name": "terminal-kleur", "target": null }, { "id": "graphrix", "display_name": "graphrix", "target": null }, { "id": "bignumx", "display_name": "bignumx", "target": null }, { "id": "bignumberx", "display_name": "bignumberx", "target": null }, { "id": "bignumex", "display_name": "bignumex", "target": null }, { "id": "bigmathex", "display_name": "bigmathex", "target": null }, { "id": "bigmathlib", "display_name": "bigmathlib", "target": null }, { "id": "bigmathix", "display_name": "bigmathix", "target": null }, { "id": "graphlink", "display_name": "graphlink", "target": null }, { "id": "graphflowx", "display_name": "graphflowx", "target": null }, { "id": "graphex", "display_name": "graphex", "target": null }, { "id": "graphlibx", "display_name": "graphlibx", "target": null }, { "id": "graphdict", "display_name": "graphdict", "target": null }, { "id": "graphnode", "display_name": "graphnode", "target": null }, { "id": "graphsync", "display_name": "graphsync", "target": null }, { "id": "bigpyx", "display_name": "bigpyx", "target": null }, { "id": "bignum", "display_name": "bignum", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69dd073f50edefa3e44adec6", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 60, "FileHash-SHA1": 195, "FileHash-SHA256": 60, "domain": 3, "hostname": 1 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698fb8581536b5d49a60ce56", "name": "Graphalgo Fake Recruiter Supply-Chain Campaign Delivering Multi-Language RAT via OSS Repositories", "description": "", "modified": "2026-02-13T23:48:37.638000", "created": "2026-02-13T23:48:37.638000", "tags": [ "domain", "hashmd5", "hashsha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 14, "modified_text": "105 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698e8944dfe02739539fa5b7", "name": "IOC - Fake recruiter campaign targets crypto devs", "description": "The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group. The campaign, which the team named graphalgo, based on the first package included in this campaign in the npm repository, has been active since the beginning of May 2025. It is a coordinated campaign targeting both Javascript and Python developers with cryptocurrency-related fake recruiter tasks.", "modified": "2026-02-13T02:15:32.584000", "created": "2026-02-13T02:15:32.584000", "tags": [ "pypi", "pypi graphdict", "pypi graphalgo", "pypi graphlibx", "pypi bignum", "final rat", "file type", "sha1 python", "pypi graphex", "pypi graphflux" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 195, "FileHash-SHA256": 25, "domain": 2 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "106 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codepool.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codepool.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173785.6853237 }