{ "type": "Domain", "indicator": "cron.data", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cron.data", "alexa": "http://www.alexa.com/siteinfo/cron.data", "indicator": "cron.data", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3908740626, "indicator": "cron.data", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6679271d75f66267fe0e5c98", "name": "Uncovering Espionage Operations", "description": "This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system access. It explores their use of malware leveraging trusted third-party services for command and control, as well as their techniques for credential theft, including backdoored applications and targeting TACACS+ authentication servers. The group's operations spanned strategic global organizations across diverse sectors, emphasizing their advanced capabilities and cautious, evasive approach.", "modified": "2024-07-24T07:00:44.647000", "created": "2024-06-24T07:58:21.830000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 386910, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba2f64b573ebab9d4f3409", "name": "The Travels of \u201cmarkopolo\u201d: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future", "description": "Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:11:16.097000", "tags": [ "amos", "vortax", "recorded future", "intelligence", "insikt group", "stealc", "atomic macos", "stealer", "future", "markopolo", "insikt", "macos", "riflespine", "google drive", "mopsled", "unc3886", "mandiant", "token", "github", "c2 server", "download file", "upload", "crosswalk", "reptile", "write", "download", "alibaba", "medusa", "tacacs server", "tacacs", "lookover", "contact", "persistence", "enterprise", "rootkits", "icmp", "install", "python", "installer", "launcher", "reptile.shell", "linux", "virtualshine", "virtualpie" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Recorded Future", "display_name": "Recorded Future", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "REPTILE.SHELL", "display_name": "REPTILE.SHELL", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [ "Cryptocurrency", "Telecommunications", "Technology", "Aerospace", "Defense", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "434 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668ce0e438ae6e904191a8d4", "name": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "description": "", "modified": "2024-07-24T07:00:44.647000", "created": "2024-07-09T07:04:04.770000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": "6679271d75f66267fe0e5c98", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668ce10552f7bbd9fe8e4313", "name": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "description": "", "modified": "2024-07-24T07:00:44.647000", "created": "2024-07-09T07:04:37.198000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": "668ce0e438ae6e904191a8d4", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66746fdf1f78721bb353ba7a", "name": "New Android Trojan SoumniBot; Evades Detection with Clever Tricks", "description": "A new Android banking trojan has been detected in the wild targeting users in South Korea, but how does the malware evade detection and the threat hunters' attempts to find its creators? and how to get it caught?", "modified": "2024-07-20T18:00:18.630000", "created": "2024-06-20T18:07:27.968000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "soumnibot", "kalinin", "android", "south korea", "android banking", "gpki", "android trojan", "kaspersky", "dmitry kalinin", "android app", "april", "malware", "twitter", "riflespine", "google drive", "mopsled", "unc3886", "mandiant", "token", "github", "c2 server", "download file", "upload", "crosswalk", "reptile", "write", "download" ], "references": [ "https://thehackernews.com/2024/04/new-android-trojan-soumnibot-evades.html", "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3866", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nishanttyagi", "id": "271276", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations", "https://thehackernews.com/2024/04/new-android-trojan-soumnibot-evades.html" ], "related": { "alienvault": { "adversary": [ "UNC3886" ], "malware_families": [ "Reptile", "Mopsled", "Virtualsphere", "Virtualshine", "Virtualpie", "Riflespine", "Medusa" ], "industries": [] }, "other": { "adversary": [ "UNC3866", "UNC3886" ], "malware_families": [ "Reptile", "Mopsled", "Insikt", "Virtualsphere", "Reptile.shell", "Virtualshine", "Macos", "Virtualpie", "Linux", "Riflespine", "Medusa", "Recorded future" ], "industries": [ "Energy", "Defense", "Aerospace", "Technology", "Telecommunications", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6679271d75f66267fe0e5c98", "name": "Uncovering Espionage Operations", "description": "This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system access. It explores their use of malware leveraging trusted third-party services for command and control, as well as their techniques for credential theft, including backdoored applications and targeting TACACS+ authentication servers. The group's operations spanned strategic global organizations across diverse sectors, emphasizing their advanced capabilities and cautious, evasive approach.", "modified": "2024-07-24T07:00:44.647000", "created": "2024-06-24T07:58:21.830000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 386910, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba2f64b573ebab9d4f3409", "name": "The Travels of \u201cmarkopolo\u201d: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future", "description": "Recorded Future's Insikt Group has identified a widespread cyberattack campaign involving Vortax, a purported virtual meeting software, which spreads infostealers to steal information on users of macOS.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:11:16.097000", "tags": [ "amos", "vortax", "recorded future", "intelligence", "insikt group", "stealc", "atomic macos", "stealer", "future", "markopolo", "insikt", "macos", "riflespine", "google drive", "mopsled", "unc3886", "mandiant", "token", "github", "c2 server", "download file", "upload", "crosswalk", "reptile", "write", "download", "alibaba", "medusa", "tacacs server", "tacacs", "lookover", "contact", "persistence", "enterprise", "rootkits", "icmp", "install", "python", "installer", "launcher", "reptile.shell", "linux", "virtualshine", "virtualpie" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Recorded Future", "display_name": "Recorded Future", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "REPTILE.SHELL", "display_name": "REPTILE.SHELL", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" } ], "industries": [ "Cryptocurrency", "Telecommunications", "Technology", "Aerospace", "Defense", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "434 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668ce0e438ae6e904191a8d4", "name": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "description": "", "modified": "2024-07-24T07:00:44.647000", "created": "2024-07-09T07:04:04.770000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": "6679271d75f66267fe0e5c98", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668ce10552f7bbd9fe8e4313", "name": "Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "description": "", "modified": "2024-07-24T07:00:44.647000", "created": "2024-07-09T07:04:37.198000", "tags": [ "cve-2022-42475", "zero-day", "cve-2023-20867", "cve-2023-34048", "rootkit", "espionage", "cve-2022-41328", "cve-2022-22948", "supply chain", "virtualsphere" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3886", "targeted_countries": [], "malware_families": [ { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "MEDUSA", "display_name": "MEDUSA", "target": null }, { "id": "MOPSLED", "display_name": "MOPSLED", "target": null }, { "id": "RIFLESPINE", "display_name": "RIFLESPINE", "target": null }, { "id": "VIRTUALSHINE", "display_name": "VIRTUALSHINE", "target": null }, { "id": "VIRTUALPIE", "display_name": "VIRTUALPIE", "target": null }, { "id": "VIRTUALSPHERE", "display_name": "VIRTUALSPHERE", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" } ], "industries": [], "TLP": "white", "cloned_from": "668ce0e438ae6e904191a8d4", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66746fdf1f78721bb353ba7a", "name": "New Android Trojan SoumniBot; Evades Detection with Clever Tricks", "description": "A new Android banking trojan has been detected in the wild targeting users in South Korea, but how does the malware evade detection and the threat hunters' attempts to find its creators? and how to get it caught?", "modified": "2024-07-20T18:00:18.630000", "created": "2024-06-20T18:07:27.968000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "soumnibot", "kalinin", "android", "south korea", "android banking", "gpki", "android trojan", "kaspersky", "dmitry kalinin", "android app", "april", "malware", "twitter", "riflespine", "google drive", "mopsled", "unc3886", "mandiant", "token", "github", "c2 server", "download file", "upload", "crosswalk", "reptile", "write", "download" ], "references": [ "https://thehackernews.com/2024/04/new-android-trojan-soumnibot-evades.html", "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" ], "public": 1, "adversary": "UNC3866", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nishanttyagi", "id": "271276", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 47, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "YARA": 7, "domain": 3 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "681 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cron.data", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cron.data", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780414444.7419918 }