{ "type": "Domain", "indicator": "cronos.li", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cronos.li", "alexa": "http://www.alexa.com/siteinfo/cronos.li", "indicator": "cronos.li", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4283818711, "indicator": "cronos.li", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69c785cd73b8fcad9668be22", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "This analysis examines multiple data leaks attributed to BreachForums between 2022 and 2026, focusing on distinguishing between leak publication dates and actual data timelines. The study covers four datasets associated with different domain names (.vc, .co, .hn, .bf) used by the platform. Each dataset is analyzed based on publication date, format, database structure, and the 'lastactive' field in the user table. The analysis reveals that the domain associated with a leak does not necessarily indicate the timing of the compromise, but rather the context of data collection. The article emphasizes the importance of differentiating between publication date and actual data timeline to avoid misattribution in cyber threat intelligence activities.", "modified": "2026-03-30T10:06:07.717000", "created": "2026-03-28T07:39:57.308000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb4c7ec2983d5eff7d6d1c", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "", "modified": "2026-03-31T04:24:30.469000", "created": "2026-03-31T04:24:30.469000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69c785cd73b8fcad9668be22", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cad13dc4ef314a2fc35125", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "This article provides a technical and evidence-based reconstruction, aimed at Cyber Threat Intelligence and OSINT analysts, clearly distinguishing between leak publication and actual data timelines.", "modified": "2026-03-30T19:39:29.353000", "created": "2026-03-30T19:38:37.651000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "green", "cloned_from": "69c785cd73b8fcad9668be22", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "61 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/", "Book1.csv" ], "related": { "alienvault": { "adversary": [ "BreachForums" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "BreachForums" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69c785cd73b8fcad9668be22", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "This analysis examines multiple data leaks attributed to BreachForums between 2022 and 2026, focusing on distinguishing between leak publication dates and actual data timelines. The study covers four datasets associated with different domain names (.vc, .co, .hn, .bf) used by the platform. Each dataset is analyzed based on publication date, format, database structure, and the 'lastactive' field in the user table. The analysis reveals that the domain associated with a leak does not necessarily indicate the timing of the compromise, but rather the context of data collection. The article emphasizes the importance of differentiating between publication date and actual data timeline to avoid misattribution in cyber threat intelligence activities.", "modified": "2026-03-30T10:06:07.717000", "created": "2026-03-28T07:39:57.308000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386451, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb4c7ec2983d5eff7d6d1c", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "", "modified": "2026-03-31T04:24:30.469000", "created": "2026-03-31T04:24:30.469000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69c785cd73b8fcad9668be22", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cad13dc4ef314a2fc35125", "name": "BreachForums Data Leaks: Technical Analysis and Timeline Attribution (2022\u20132026)", "description": "This article provides a technical and evidence-based reconstruction, aimed at Cyber Threat Intelligence and OSINT analysts, clearly distinguishing between leak publication and actual data timelines.", "modified": "2026-03-30T19:39:29.353000", "created": "2026-03-30T19:38:37.651000", "tags": [ "timeline attribution", "data leaks", "mybb", "forum infrastructure", "database dumps" ], "references": [ "https://www.d3lab.net/breachforums-data-leaks-technical-analysis-and-timeline-attribution-2022-2026/" ], "public": 1, "adversary": "BreachForums", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "green", "cloned_from": "69c785cd73b8fcad9668be22", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 3, "domain": 5, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "61 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cronos.li", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cronos.li", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173777.498058 }