{ "type": "Domain", "indicator": "coinbasedapp.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/coinbasedapp.net", "alexa": "http://www.alexa.com/siteinfo/coinbasedapp.net", "indicator": "coinbasedapp.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3406016910, "indicator": "coinbasedapp.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6415382e171ac5dbf9115556", "name": "pig butchering- scam has been revealed", "description": "Note.com's Facebook page has been updated to reflect the latest developments in the battle for the title of the world's most-watched social media platform, the \"most popular social network\".", "modified": "2023-03-18T04:03:58.734000", "created": "2023-03-18T04:03:58.734000", "tags": [], "references": [ "pig butchering- scam has been revealed.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 12, "domain": 143, "hostname": 335 }, "indicator_count": 525, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1171 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623afbb4a5900f2a1f314864", "name": "NewDom-0-20220323", "description": "ICANN-Dom", "modified": "2022-05-07T00:03:18.570000", "created": "2022-03-23T10:51:32.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "pig butchering- scam has been revealed.txt", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack", "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Telecommunications", "Government", "Education", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f3f9e7dc1e04dba54504e9", "name": "23.227.38.32 + luv[txt]vbs", "description": "This domain has a high-volume repository for malicious activity, currently hosting 94.2K communicating files, 200 Passive DNS entries, and 133 referring files. The presence of the luv[txt]vbs script, a known delivery mechanism for broader compromises exists. Technical Findings: Scale of Infiltration: I have successfully ingested and uploaded the 133 referring files and a significant sample of the 94.2K communicating files. Due to the massive scale of this repository, full ingestion is ongoing; however, the primary infection vector is confirmed to be targeting Windows [EXE] documents, as evidenced by high-frequency VirusTotal (VT) flagging.Stealth & Obfuscation Techniques: The domain contains a subset of documents disguised as \"classroom education\" materials. These files utilize a specific obfuscation technique where the first letter of the filename or content is omitted.", "modified": "2026-05-31T01:02:14", "created": "2026-05-01T00:55:03.371000", "tags": [], "references": [ "This missing-letter technique is likely a stealth tactic designed to bypass traditional heuristic detection and signature-based antivirus (AV) scans. These indicators are consistent with high-integrity sources and threat actors I have previously documented and reported.", "\"Network port scanning and reconnaissance - according to source Guardpot - 10 months ago This IP was involved in 632 events across 1 distinct attack types. Attacks: dns-query (632). First seen: 2025-06-17 00:47 UTC, Last seen: 2025-06-17 00:48 UTC.\"", "", "Code Insights VT, Of note, a lot of the malicious PDFs I have detected through sandboxing do not flag and all have code insights. Incidental finding that is curious.", "The code insights look like this \"The analyzed document exhibits no internal execution chains, embedded scripts, or exploits, but heavily utilizes numerous external URIs. Visual and textual analysis indicates the file functions as an SEO poisoning or doorway document. The PDF consists almost entirely of a dense, nonsensical list of hyperlinked keywords referencing various brands, user manuals, and textbooks, all operating under a garbled, unrelated title. Although the file is structurally harmless and lack" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Telecommunications", "Education", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1518, "URL": 568, "FileHash-SHA256": 1807, "hostname": 375, "FileHash-MD5": 1186, "FileHash-SHA1": 774, "email": 32, "CIDR": 3 }, "indicator_count": 6263, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6415382e171ac5dbf9115556", "name": "pig butchering- scam has been revealed", "description": "Note.com's Facebook page has been updated to reflect the latest developments in the battle for the title of the world's most-watched social media platform, the \"most popular social network\".", "modified": "2023-03-18T04:03:58.734000", "created": "2023-03-18T04:03:58.734000", "tags": [], "references": [ "pig butchering- scam has been revealed.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 3, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 18, "URL": 12, "domain": 143, "hostname": 335 }, "indicator_count": 525, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1171 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623afbb4a5900f2a1f314864", "name": "NewDom-0-20220323", "description": "ICANN-Dom", "modified": "2022-05-07T00:03:18.570000", "created": "2022-03-23T10:51:32.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "coinbasedapp.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "coinbasedapp.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780317680.4446492 }