{ "type": "Domain", "indicator": "coolsystem.co.kr", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/coolsystem.co.kr", "alexa": "http://www.alexa.com/siteinfo/coolsystem.co.kr", "indicator": "coolsystem.co.kr", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3835366328, "indicator": "coolsystem.co.kr", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "66b22f6634824f0fa4c20d03", "name": "North Korean Hacking Groups Stealing Construction and Machinery Sector Technologies: A Warning", "description": "South Korea's cybersecurity community, consisting of the National Intelligence Service, Prosecution Service, Police Agency, Defense Security Command, and Cyber Command, among others, warns of the risks posed by North Korean hacking groups' cyber attacks targeting the domestic construction and machinery sectors. The report highlights the attack strategies, techniques, procedures (TTPs), and indicators of compromise (IoCs) employed by these North Korean groups. As North Korea accelerates its regional development initiatives, its party, military, and government entities, as well as hacking groups, are intensifying efforts to obtain unauthorized access to South Korea's construction, machinery, and urban development data to aid in industrial plant construction and local development plans.", "modified": "2024-09-05T14:02:22.746000", "created": "2024-08-06T14:12:54.554000", "tags": [ "cyber attack", "north korea", "espionage", "machinery", "dorarat", "construction", "trollagent" ], "references": [ "https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=146934&menuNo=020000&subMenuNo=020200&thirdMenuNo=#LINK" ], "public": 1, "adversary": "Kimsuky and Andariel", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null }, { "id": "DoraRAT", "display_name": "DoraRAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 212, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 9 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 387010, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34db750f6497da451c4b9", "name": "Kimsuky abuses a valid certificate to distribute TrollAgent", "description": "A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.", "modified": "2024-02-19T14:45:52.838000", "created": "2024-02-19T12:46:47.403000", "tags": [ "construction", "trollagent", "spyware", "phishing", "korea", "backdoor" ], "references": [ "", "https://asec.ahnlab.com/ko/61666/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 342, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 387009, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c117536df0c4c6c3cc85e9", "name": "Software Installer Impersonation Kimsuky (APT-Q-2) Information Stealing Operation", "description": "This report describes a recent information stealing operation by the threat actor group Kimsuky, also known as APT-Q-2. The attackers distributed malware impersonating software installers from South Korean companies, which collected sensitive information from compromised devices and exfiltrated it to attacker-controlled servers.", "modified": "2024-02-05T17:26:38.069000", "created": "2024-02-05T17:13:55.942000", "tags": [ "trollagent", "software installers", "impersonation", "south korea", "information stealing", "malware" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA%3D%3D&mid=2247509476&idx=1&sn=b0e09436095203b75710836d718d6699" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 313, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 7, "domain": 1, "hostname": 6 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 387009, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "556 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "556 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b46925d41cc4fea5a0a3cc", "name": "Beware of technology theft in the construction and machinery sectors by North Korean hacking organizations", "description": "", "modified": "2024-09-05T06:00:06.174000", "created": "2024-08-08T06:43:49.561000", "tags": [ "http", "trollagent", "dorarat" ], "references": [ "https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66b1c3c418262191f69bf137", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 8 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b1c3c418262191f69bf137", "name": "Beware of technology theft in the construction and machinery sectors by North Korean hacking organizations", "description": "Republic of Korea National Intelligence Service, Prosecutors' Office, National Police Agency, Armed Forces Counterintelligence Command, Cyber \u200b\u200bOperations Command, etc.\nThe Cybersecurity Intelligence Community (hereinafter referred to as the Intelligence Community)", "modified": "2024-09-05T06:00:06.174000", "created": "2024-08-06T06:33:40.115000", "tags": [ "http", "trollagent", "dorarat" ], "references": [ "https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 8 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660143d42c93e70c21c6f8f5", "name": "Kimsuky abuses a valid certificate to distribute TrollAgent", "description": "", "modified": "2024-03-25T09:28:52.445000", "created": "2024-03-25T09:28:52.445000", "tags": [ "construction", "trollagent", "spyware", "phishing", "korea", "backdoor" ], "references": [ "", "https://asec.ahnlab.com/ko/61666/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Construction" ], "TLP": "white", "cloned_from": "65fb59220dea32a4bb4be217", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "799 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fb615cfcff972f2187b9c2", "name": "Software Installer Impersonation Kimsuky (APT-Q-2) Information Stealing Operation", "description": "", "modified": "2024-03-20T22:21:16.173000", "created": "2024-03-20T22:21:16.173000", "tags": [ "trollagent", "software installers", "impersonation", "south korea", "information stealing", "malware" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA%3D%3D&mid=2247509476&idx=1&sn=b0e09436095203b75710836d718d6699" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Government", "Technology" ], "TLP": "white", "cloned_from": "65c117536df0c4c6c3cc85e9", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 7, "domain": 1, "hostname": 6 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "804 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fb59220dea32a4bb4be217", "name": "Kimsuky abuses a valid certificate to distribute TrollAgent", "description": "", "modified": "2024-03-20T21:46:10.052000", "created": "2024-03-20T21:46:10.052000", "tags": [ "construction", "trollagent", "spyware", "phishing", "korea", "backdoor" ], "references": [ "", "https://asec.ahnlab.com/ko/61666/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Construction" ], "TLP": "white", "cloned_from": "65d34db750f6497da451c4b9", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "804 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ca1d5db5bdaf6baf341b16", "name": "Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)", "description": "A new type of information-stealer malware believed to be from the Kimsuky group has been hunted for and analyzed by security research and intelligence centre Talon, which is based in South Korea.", "modified": "2024-03-13T13:05:13.469000", "created": "2024-02-12T13:30:05.326000", "tags": [ "troll stealer", "appdata", "c server", "stealer", "yymmdd", "kimsuky group", "appleseed", "sha512 hash", "userprofile", "c drive", "dropper", "vmprotect", "target", "path", "desktop", "encrypt", "config", "pass", "meterpreter", "kimsuky", "talon", "powershell", "chromeupdatetaskmachineuac", "programdata%\\limsjo.a", "drive troll", "\u2014troll", "alphaseed", "troll" ], "references": [ "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ChromeUpdateTaskMachineUAC", "display_name": "ChromeUpdateTaskMachineUAC", "target": null }, { "id": "ProgramData%\\limsjo.a", "display_name": "ProgramData%\\limsjo.a", "target": null }, { "id": "Drive Troll", "display_name": "Drive Troll", "target": null }, { "id": "\u2014Troll", "display_name": "\u2014Troll", "target": null }, { "id": "AlphaSeed", "display_name": "AlphaSeed", "target": null }, { "id": "AppleSeed", "display_name": "AppleSeed", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Troll", "display_name": "Troll", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 6 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "811 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c7c03db2bdbf54dc458839", "name": "Kimsuky Related Golang Stealer \u2018Troll\u2019 and Backdoor \u2018GoBear\u2019 Revealed", "description": "", "modified": "2024-03-11T18:02:08.979000", "created": "2024-02-10T18:28:13.121000", "tags": [], "references": [ "February 11th, 2024 - CryptoGen Cyber Threat Intelligence Advisory #3945 - Kimsuky Related Golang Stealer \u2018Troll\u2019 and Backdoor \u2018GoBear\u2019 Revealed.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 8, "domain": 1, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c63cfb82767fe516e80f11", "name": "Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea", "description": "The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer.\n\nThe malware steals \"SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures\" from infected systems, South Korean cybersecurity company S2W said in a new technical report.", "modified": "2024-03-10T14:02:21.820000", "created": "2024-02-09T14:55:55.105000", "tags": [ "troll stealer", "appdata", "c server", "stealer", "yymmdd", "kimsuky group", "appleseed", "sha512 hash", "userprofile", "c drive", "dropper", "alphaseed", "vmprotect", "target", "path", "desktop", "encrypt", "config", "pass", "meterpreter", "kimsuky", "talon", "powershell", "chromeupdatetaskmachineuac", "programdata%\\limsjo.a", "drive troll", "\u2014troll", "troll" ], "references": [ "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2", "https://thehackernews.com/2024/02/kimsukys-new-golang-stealer-troll-and.html" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "ChromeUpdateTaskMachineUAC", "display_name": "ChromeUpdateTaskMachineUAC", "target": null }, { "id": "ProgramData%\\limsjo.a", "display_name": "ProgramData%\\limsjo.a", "target": null }, { "id": "Drive Troll", "display_name": "Drive Troll", "target": null }, { "id": "\u2014Troll", "display_name": "\u2014Troll", "target": null }, { "id": "AlphaSeed", "display_name": "AlphaSeed", "target": null }, { "id": "AppleSeed", "display_name": "AppleSeed", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Troll", "display_name": "Troll", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 300, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 6 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c60d6496f1c4658dd255fc", "name": "Kimsuky's New Golang Stealer Troll and GoBear Backdoor Target South Korea", "description": "A North Korean state-linked cyber-espionage group is suspected of using a Go-based information stealer to steal data from South Korean government computers, according to a new security analysis..", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:32:52.659000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "kimsuky", "troll stealer", "appleseed", "alphaseed", "gpki", "gobear", "kimsuky group", "north", "filezilla", "c drive", "screen", "twitter", "thallium", "betaseed", "appdata", "c server", "stealer", "yymmdd", "sha512 hash", "userprofile", "dropper", "vmprotect", "target", "path", "desktop", "encrypt", "config", "pass", "meterpreter", "talon", "powershell", "chromeupdatetaskmachineuac", "programdata%\\limsjo.a", "drive troll", "\u2014troll", "troll" ], "references": [ "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "AppleSeed", "display_name": "AppleSeed", "target": null }, { "id": "AlphaSeed", "display_name": "AlphaSeed", "target": null }, { "id": "BetaSeed", "display_name": "BetaSeed", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "ChromeUpdateTaskMachineUAC", "display_name": "ChromeUpdateTaskMachineUAC", "target": null }, { "id": "ProgramData%\\limsjo.a", "display_name": "ProgramData%\\limsjo.a", "target": null }, { "id": "Drive Troll", "display_name": "Drive Troll", "target": null }, { "id": "\u2014Troll", "display_name": "\u2014Troll", "target": null }, { "id": "Troll", "display_name": "Troll", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 2, "domain": 1, "hostname": 6 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "814 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e6c1a4cac0494c15f87776", "name": "TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)", "description": "", "modified": "2024-03-05T06:54:28.895000", "created": "2024-03-05T06:54:28.895000", "tags": [ "trustpki", "infostealer", "nxprnman", "backdoor", "golang" ], "references": [ "https://asec.ahnlab.com/en/61934/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65dd5fd06cbe177b430f6ef6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "819 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dd5fd06cbe177b430f6ef6", "name": "TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)", "description": "", "modified": "2024-02-27T04:06:40.887000", "created": "2024-02-27T04:06:40.887000", "tags": [ "trustpki", "infostealer", "nxprnman", "backdoor", "golang" ], "references": [ "https://asec.ahnlab.com/en/61934/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65d89cc1a315b71a1a8322b0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "827 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d89cc1a315b71a1a8322b0", "name": "TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)", "description": "AhnLab SEcurity intelligence Center (ASEC) recently discovered that malware strains are downloaded into systems when users try to download security programs from a Korean construction-related association\u2019s website. Login is required to use the website\u2019s services, and various security programs must be installed to log in.", "modified": "2024-02-23T13:25:21.567000", "created": "2024-02-23T13:25:21.567000", "tags": [ "trustpki", "infostealer", "nxprnman", "backdoor", "golang" ], "references": [ "https://asec.ahnlab.com/en/61934/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "830 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d5895d2373af9f8af6b43e", "name": "Kimsuky Group Exploits Security Software Installation for TrollAgent Infection", "description": "Researchers have recently confirmed that when attempting to install a security program from\nthe website of a domestic construction-related association, users may inadvertently download\nmalicious code. Accessing the website's services requires logging in, and as part of the\nsecurity protocol, users are prompted to install various programs. However, one of these\ninstallation programs contain malicious code. If installed, it not only installs the intended\nsecurity program but also the malicious code.", "modified": "2024-02-21T05:25:49.773000", "created": "2024-02-21T05:25:49.773000", "tags": [ "hash" ], "references": [ "TI Advisory No_ESAF-SOC-TI-290-Kimsuky Group Exploits Security Software Installation for TrollAgent Infection.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "832 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=146934&menuNo=020000&subMenuNo=020200&thirdMenuNo=#LINK", "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2", "https://thehackernews.com/2024/02/kimsukys-new-golang-stealer-troll-and.html", "https://asec.ahnlab.com/ko/61666/", "TI Advisory No_ESAF-SOC-TI-290-Kimsuky Group Exploits Security Software Installation for TrollAgent Infection.txt", "https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun", "February 11th, 2024 - CryptoGen Cyber Threat Intelligence Advisory #3945 - Kimsuky Related Golang Stealer \u2018Troll\u2019 and Backdoor \u2018GoBear\u2019 Revealed.pdf", "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA%3D%3D&mid=2247509476&idx=1&sn=b0e09436095203b75710836d718d6699", "https://asec.ahnlab.com/en/61934/" ], "related": { "alienvault": { "adversary": [ "Kimsuky", "Kimsuky and Andariel" ], "malware_families": [ "Trollagent", "Dorarat" ], "industries": [ "Government", "Technology", "Construction" ] }, "other": { "adversary": [ "Kimsuky" ], "malware_families": [ "Programdata%\\limsjo.a", "Chromeupdatetaskmachineuac", "Trollagent", "Alphaseed", "Kimsuky", "Appleseed", "Betaseed", "\u2014troll", "Troll", "Drive troll" ], "industries": [ "Government", "Technology", "Construction" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "66b22f6634824f0fa4c20d03", "name": "North Korean Hacking Groups Stealing Construction and Machinery Sector Technologies: A Warning", "description": "South Korea's cybersecurity community, consisting of the National Intelligence Service, Prosecution Service, Police Agency, Defense Security Command, and Cyber Command, among others, warns of the risks posed by North Korean hacking groups' cyber attacks targeting the domestic construction and machinery sectors. The report highlights the attack strategies, techniques, procedures (TTPs), and indicators of compromise (IoCs) employed by these North Korean groups. As North Korea accelerates its regional development initiatives, its party, military, and government entities, as well as hacking groups, are intensifying efforts to obtain unauthorized access to South Korea's construction, machinery, and urban development data to aid in industrial plant construction and local development plans.", "modified": "2024-09-05T14:02:22.746000", "created": "2024-08-06T14:12:54.554000", "tags": [ "cyber attack", "north korea", "espionage", "machinery", "dorarat", "construction", "trollagent" ], "references": [ "https://www.ncsc.go.kr:4018/main/cop/bbs/selectBoardArticle.do?bbsId=SecurityAdvice_main&nttId=146934&menuNo=020000&subMenuNo=020200&thirdMenuNo=#LINK" ], "public": 1, "adversary": "Kimsuky and Andariel", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null }, { "id": "DoraRAT", "display_name": "DoraRAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 212, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 9 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 387010, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34db750f6497da451c4b9", "name": "Kimsuky abuses a valid certificate to distribute TrollAgent", "description": "A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.", "modified": "2024-02-19T14:45:52.838000", "created": "2024-02-19T12:46:47.403000", "tags": [ "construction", "trollagent", "spyware", "phishing", "korea", "backdoor" ], "references": [ "", "https://asec.ahnlab.com/ko/61666/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 342, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 23, "domain": 1, "hostname": 22 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 387009, "modified_text": "834 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c117536df0c4c6c3cc85e9", "name": "Software Installer Impersonation Kimsuky (APT-Q-2) Information Stealing Operation", "description": "This report describes a recent information stealing operation by the threat actor group Kimsuky, also known as APT-Q-2. The attackers distributed malware impersonating software installers from South Korean companies, which collected sensitive information from compromised devices and exfiltrated it to attacker-controlled servers.", "modified": "2024-02-05T17:26:38.069000", "created": "2024-02-05T17:13:55.942000", "tags": [ "trollagent", "software installers", "impersonation", "south korea", "information stealing", "malware" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA%3D%3D&mid=2247509476&idx=1&sn=b0e09436095203b75710836d718d6699" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "TrollAgent", "display_name": "TrollAgent", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 313, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 7, "domain": 1, "hostname": 6 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 387009, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "556 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "556 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b46925d41cc4fea5a0a3cc", "name": "Beware of technology theft in the construction and machinery sectors by North Korean hacking organizations", "description": "", "modified": "2024-09-05T06:00:06.174000", "created": "2024-08-08T06:43:49.561000", "tags": [ "http", "trollagent", "dorarat" ], "references": [ "https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66b1c3c418262191f69bf137", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 8 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b1c3c418262191f69bf137", "name": "Beware of technology theft in the construction and machinery sectors by North Korean hacking organizations", "description": "Republic of Korea National Intelligence Service, Prosecutors' Office, National Police Agency, Armed Forces Counterintelligence Command, Cyber \u200b\u200bOperations Command, etc.\nThe Cybersecurity Intelligence Community (hereinafter referred to as the Intelligence Community)", "modified": "2024-09-05T06:00:06.174000", "created": "2024-08-06T06:33:40.115000", "tags": [ "http", "trollagent", "dorarat" ], "references": [ "https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 8 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "635 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "coolsystem.co.kr", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "coolsystem.co.kr", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780463625.47222 }