{ "type": "Domain", "indicator": "cosmicpharma-bd.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cosmicpharma-bd.com", "alexa": "http://www.alexa.com/siteinfo/cosmicpharma-bd.com", "indicator": "cosmicpharma-bd.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4150652329, "indicator": "cosmicpharma-bd.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692dae2bdfd7e18df0f1e5b0", "name": "qAWSDFGHJ", "description": "Web users are being urged to check their accounts before they use them, as well as taking part in a series of security checks. and a number of other security-related web-based sites.", "modified": "2025-12-31T15:01:28.564000", "created": "2025-12-01T15:03:07.147000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69297c21a7a29bc6ac28041d", "name": "ClickFix Gets Creative: Malware Buried in Images | Huntress", "description": "Find out more about the Huntress products and services on the Microsoft Marketplace and on our site for free and unlimited access to all the latest technology and resources. and information on how to use them.", "modified": "2025-12-28T10:01:42.641000", "created": "2025-11-28T10:40:33.411000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 17, "domain": 22, "hostname": 7 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69269a713e9ed36acadcbd6f", "name": "IOC - Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix", "description": "Novel \"JackFix\" attack: Acronis TRU researchers discover an ongoing campaign that leverages a novel combination of screen hijacking techniques with ClickFix, displaying a realistic, full-screen Windows Update of \u201cCritical Windows Security Updates\u201d to trick victims into executing malicious commands.\nAdult content bait strategy: Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The adult theme, and possible connection to shady websites, add to victim\u2019s psychological pressure, making victims more likely to comply with sudden \u201csecurity update\u201d installation instructions.", "modified": "2025-12-26T06:00:46.039000", "created": "2025-11-26T06:13:05.062000", "tags": [], "references": [ "https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69258ec9f2e8abc71efb55e6", "name": "Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware", "description": "New wave of clickFix attacks is identified to abuse highly realistic fake Windows\n Update screens and PNG image steganography to secretly deploy info stealing\n malware.", "modified": "2025-12-25T11:00:36.098000", "created": "2025-11-25T11:11:05.181000", "tags": [], "references": [ "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 23 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6925468fbc639f2b2ae4afa9", "name": "IOC - ClickFix Gets Creative: Malware Buried in Images", "description": "This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.", "modified": "2025-12-25T06:01:37.590000", "created": "2025-11-25T06:02:55.071000", "tags": [ "stage", "urls", "clickfix lure", "windows update", "lure indicators", "cluster", "clickfix robot", "lure", "lummac2" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 22 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692514d8b7be86bae7057673", "name": "ClickFix Malware Evolves With Steganographic Image-Based Delivery", "description": "Huntress is a managed security platform designed to protect organisations from cyber-attacks, writes Ben Folland and Anna Pham, who worked with the company's parent company, Microsoft, to develop its security solutions.", "modified": "2025-12-25T02:04:22.852000", "created": "2025-11-25T02:30:48.788000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924cddd2c084e5cafc84277", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "The analysis highlights a sophisticated malware campaign utilizing ClickFix lures to execute multi-stage malware delivery, ultimately leading to the deployment of infostealing malware such as LummaC2 and Rhadamanthys. A prominent aspect of this campaign is the innovative use of steganography to hide malicious payloads within image files, specifically PNGs, where malicious code is embedded directly in the pixel data. This technique enhances concealment, as the payload is reconstructed and decrypted in memory using specific color channels.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:27:57.190000", "tags": [ "clickfix lure", "huntress", "powershell", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat", "stage", "urls", "clickfix robot", "lure", "lure indicators" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b86538bc9d6168b54ed7e", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2025-12-17T20:05:25.178000", "created": "2025-11-17T20:32:18.360000", "tags": [ "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 53, "FileHash-SHA256": 54, "URL": 1581, "domain": 374, "hostname": 1629 }, "indicator_count": 3746, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/", "https://www.huntress.com/blog/clickfix-malware-buried-in-images", "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face" ], "malware_families": [ "", "Update lure", "Windows update", "Qilin", "Nexus threat", "Huntress", "Rhadamanthys" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692dae2bdfd7e18df0f1e5b0", "name": "qAWSDFGHJ", "description": "Web users are being urged to check their accounts before they use them, as well as taking part in a series of security checks. and a number of other security-related web-based sites.", "modified": "2025-12-31T15:01:28.564000", "created": "2025-12-01T15:03:07.147000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69297c21a7a29bc6ac28041d", "name": "ClickFix Gets Creative: Malware Buried in Images | Huntress", "description": "Find out more about the Huntress products and services on the Microsoft Marketplace and on our site for free and unlimited access to all the latest technology and resources. and information on how to use them.", "modified": "2025-12-28T10:01:42.641000", "created": "2025-11-28T10:40:33.411000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 17, "domain": 22, "hostname": 7 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "154 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69269a713e9ed36acadcbd6f", "name": "IOC - Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix", "description": "Novel \"JackFix\" attack: Acronis TRU researchers discover an ongoing campaign that leverages a novel combination of screen hijacking techniques with ClickFix, displaying a realistic, full-screen Windows Update of \u201cCritical Windows Security Updates\u201d to trick victims into executing malicious commands.\nAdult content bait strategy: Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The adult theme, and possible connection to shady websites, add to victim\u2019s psychological pressure, making victims more likely to comply with sudden \u201csecurity update\u201d installation instructions.", "modified": "2025-12-26T06:00:46.039000", "created": "2025-11-26T06:13:05.062000", "tags": [], "references": [ "https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69258ec9f2e8abc71efb55e6", "name": "Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware", "description": "New wave of clickFix attacks is identified to abuse highly realistic fake Windows\n Update screens and PNG image steganography to secretly deploy info stealing\n malware.", "modified": "2025-12-25T11:00:36.098000", "created": "2025-11-25T11:11:05.181000", "tags": [], "references": [ "November 25th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #8637 - Fake Windows Update Screens Used by ClickFix to Deliver Steganographic Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 23 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6925468fbc639f2b2ae4afa9", "name": "IOC - ClickFix Gets Creative: Malware Buried in Images", "description": "This analysis details a multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys. A notable discovery during analysis was the campaign's use of steganography to conceal the final malware stages within an image. Rather than simply appending malicious data to a file, the malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.", "modified": "2025-12-25T06:01:37.590000", "created": "2025-11-25T06:02:55.071000", "tags": [ "stage", "urls", "clickfix lure", "windows update", "lure indicators", "cluster", "clickfix robot", "lure", "lummac2" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 22 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692514d8b7be86bae7057673", "name": "ClickFix Malware Evolves With Steganographic Image-Based Delivery", "description": "Huntress is a managed security platform designed to protect organisations from cyber-attacks, writes Ben Folland and Anna Pham, who worked with the company's parent company, Microsoft, to develop its security solutions.", "modified": "2025-12-25T02:04:22.852000", "created": "2025-11-25T02:30:48.788000", "tags": [ "windows update", "clickfix lure", "huntress", "powershell", "windows run", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Update Lure", "display_name": "Update Lure", "target": null }, { "id": "Windows Update", "display_name": "Windows Update", "target": null }, { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "Nexus Threat", "display_name": "Nexus Threat", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Huntress", "display_name": "Huntress", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924cddd2c084e5cafc84277", "name": "ClickFix Gets Creative: Malware Buried in Images", "description": "The analysis highlights a sophisticated malware campaign utilizing ClickFix lures to execute multi-stage malware delivery, ultimately leading to the deployment of infostealing malware such as LummaC2 and Rhadamanthys. A prominent aspect of this campaign is the innovative use of steganography to hide malicious payloads within image files, specifically PNGs, where malicious code is embedded directly in the pixel data. This technique enhances concealment, as the payload is reconstructed and decrypted in memory using specific color channels.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:27:57.190000", "tags": [ "clickfix lure", "huntress", "powershell", "redacted", "blob url", "clickfix domain", "lummac2", "clickfix", "rhadamanthys", "find", "python", "shellcode", "cluster", "update lure", "qilin", "nexus threat", "stage", "urls", "clickfix robot", "lure", "lure indicators" ], "references": [ "https://www.huntress.com/blog/clickfix-malware-buried-in-images" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 16, "domain": 22 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b86538bc9d6168b54ed7e", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2025-12-17T20:05:25.178000", "created": "2025-11-17T20:32:18.360000", "tags": [ "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 53, "FileHash-SHA256": 54, "URL": 1581, "domain": 374, "hostname": 1629 }, "indicator_count": 3746, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cosmicpharma-bd.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cosmicpharma-bd.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780231902.547872 }