{ "type": "Domain", "indicator": "crowdstrike-office365.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/crowdstrike-office365.com", "alexa": "http://www.alexa.com/siteinfo/crowdstrike-office365.com", "indicator": "crowdstrike-office365.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3927181075, "indicator": "crowdstrike-office365.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "676310e1b8c826f2b01166dc", "name": "Your Data Is Under New Management: The Rise of LummaStealer", "description": "LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized businesses. The malware employs various infection vectors, including phishing emails, cracked software, and malicious downloads. It harvests credentials, cookies, cryptocurrency wallets, and system information, exfiltrating data to remote servers. Recent campaigns have shown increased sophistication in social engineering tactics and the use of legitimate platforms like Steam and Dropbox to evade detection. The malware's accessibility through MaaS has made it popular among diverse threat actors, complicating attribution efforts.", "modified": "2025-01-17T18:00:54.511000", "created": "2024-12-18T18:13:53.036000", "tags": [ "phishing", "social engineering", "", "Malware-as-a-Service (MaaS)", "Python", "LummaStealer" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 11, "FileHash-SHA256": 6, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386518, "modified_text": "498 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a77fc17b89a02fdef8ffee", "name": "Malware Distributed Using Falcon Sensor Update Phishing Lure", "description": "CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stealer' distribution effort leveraging advanced social engineering techniques. The malware evades detection by terminating if security products are detected, and employs multiple layers of obfuscation. It ultimately connects to command and control servers to exfiltrate stolen data.", "modified": "2024-07-29T11:51:24.299000", "created": "2024-07-29T11:40:49.100000", "tags": [ "phishing", "stealer", "lumma stealer", "malspam", "lumma" ], "references": [ "https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 254, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66aba1d4ed0cf81e939c043e", "name": "CrowdStrike_Phishing_08012024", "description": "", "modified": "2024-08-01T14:55:16.771000", "created": "2024-08-01T14:55:16.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 553, "hostname": 2077, "URL": 1 }, "indicator_count": 2631, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "667 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9de047564c0241ce8e8bc", "name": "Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure | InfoStealers", "description": "A Phishing Lure using a Falcon sensor update has been identified by CrowdStrike Intelligence and is likely linked to a June 2024 Lumma Stealer distribution campaign, according to the firm's research.", "modified": "2024-07-31T06:47:32.403000", "created": "2024-07-31T06:47:32.403000", "tags": [ "lumma stealer", "strong", "sha256 hash", "july", "autoit script", "report", "using falcon", "sensor update", "phishing lure", "free individual", "stealer", "autoit", "june", "nsis", "execution", "shell", "stop", "malware", "infostealer", "luca stealer", "aurora stealer", "erbium stealer", "cybercriminals", "lumma" ], "references": [ "https://www.infostealers.com/article/lumma-stealer-packed-with-cypherit-distributed-using-falcon-sensor-update-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cybercriminals", "display_name": "Cybercriminals", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "669 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a74eed1204c22686cc084d", "name": "Malware Distributed Using Falcon Sensor Update Phishing Lure | CrowdStrike", "description": "A phishing domain that impersonates CrowdStrike has been identified and used to deliver malware packed with CypherIt, as part of a global cyber-attack campaign in the early 20th Century.", "modified": "2024-07-29T08:12:29.092000", "created": "2024-07-29T08:12:29.092000", "tags": [ "lumma stealer", "sha256 hash", "autoit script", "july", "crowdstrike", "falcon sensor", "nsis installer", "figure", "autoit", "autoit loader", "june", "nsis", "shell", "lumma" ], "references": [ "https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "671 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a39d5f04fbea853949f660", "name": "CrowdStrike Domains Pumping Out Lumma Infostealing Malware", "description": "Crowdstrike-office365.com is a website for people who work in the office, but what do you know about it and what can you do about the content?. \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0.", "modified": "2024-07-26T12:58:07.087000", "created": "2024-07-26T12:58:07.087000", "tags": [ "urls", "domain", "hash", "classification", "confidential p", "c2 urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 17, "domain": 11, "hostname": 1 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "673 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.infostealers.com/article/lumma-stealer-packed-with-cypherit-distributed-using-falcon-sensor-update-phishing-lure/", "https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer", "https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/", "IOCs.2026.2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lummastealer", "Lumma stealer" ], "industries": [] }, "other": { "adversary": [ "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares" ], "malware_families": [ "Cybercriminals", "Lumma" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "676310e1b8c826f2b01166dc", "name": "Your Data Is Under New Management: The Rise of LummaStealer", "description": "LummaStealer, a relatively new information-stealing malware, has gained prominence since 2022 for its ability to collect sensitive data from Windows systems. Marketed as Malware-as-a-Service (MaaS) on underground forums, it targets individuals, cryptocurrency users, and small to medium-sized businesses. The malware employs various infection vectors, including phishing emails, cracked software, and malicious downloads. It harvests credentials, cookies, cryptocurrency wallets, and system information, exfiltrating data to remote servers. Recent campaigns have shown increased sophistication in social engineering tactics and the use of legitimate platforms like Steam and Dropbox to evade detection. The malware's accessibility through MaaS has made it popular among diverse threat actors, complicating attribution efforts.", "modified": "2025-01-17T18:00:54.511000", "created": "2024-12-18T18:13:53.036000", "tags": [ "phishing", "social engineering", "", "Malware-as-a-Service (MaaS)", "Python", "LummaStealer" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 11, "FileHash-SHA256": 6, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386518, "modified_text": "498 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a77fc17b89a02fdef8ffee", "name": "Malware Distributed Using Falcon Sensor Update Phishing Lure", "description": "CrowdStrike Intelligence uncovered a phishing campaign impersonating CrowdStrike and distributing malicious files containing a Microsoft Installer (MSI) loader. The loader executes the commodity stealer 'Lumma Stealer' packed with 'CypherIt'. This campaign is likely linked to a previous 'Lumma Stealer' distribution effort leveraging advanced social engineering techniques. The malware evades detection by terminating if security products are detected, and employs multiple layers of obfuscation. It ultimately connects to command and control servers to exfiltrate stolen data.", "modified": "2024-07-29T11:51:24.299000", "created": "2024-07-29T11:40:49.100000", "tags": [ "phishing", "stealer", "lumma stealer", "malspam", "lumma" ], "references": [ "https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 254, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66aba1d4ed0cf81e939c043e", "name": "CrowdStrike_Phishing_08012024", "description": "", "modified": "2024-08-01T14:55:16.771000", "created": "2024-08-01T14:55:16.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 553, "hostname": 2077, "URL": 1 }, "indicator_count": 2631, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "667 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9de047564c0241ce8e8bc", "name": "Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure | InfoStealers", "description": "A Phishing Lure using a Falcon sensor update has been identified by CrowdStrike Intelligence and is likely linked to a June 2024 Lumma Stealer distribution campaign, according to the firm's research.", "modified": "2024-07-31T06:47:32.403000", "created": "2024-07-31T06:47:32.403000", "tags": [ "lumma stealer", "strong", "sha256 hash", "july", "autoit script", "report", "using falcon", "sensor update", "phishing lure", "free individual", "stealer", "autoit", "june", "nsis", "execution", "shell", "stop", "malware", "infostealer", "luca stealer", "aurora stealer", "erbium stealer", "cybercriminals", "lumma" ], "references": [ "https://www.infostealers.com/article/lumma-stealer-packed-with-cypherit-distributed-using-falcon-sensor-update-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cybercriminals", "display_name": "Cybercriminals", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "669 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a74eed1204c22686cc084d", "name": "Malware Distributed Using Falcon Sensor Update Phishing Lure | CrowdStrike", "description": "A phishing domain that impersonates CrowdStrike has been identified and used to deliver malware packed with CypherIt, as part of a global cyber-attack campaign in the early 20th Century.", "modified": "2024-07-29T08:12:29.092000", "created": "2024-07-29T08:12:29.092000", "tags": [ "lumma stealer", "sha256 hash", "autoit script", "july", "crowdstrike", "falcon sensor", "nsis installer", "figure", "autoit", "autoit loader", "june", "nsis", "shell", "lumma" ], "references": [ "https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 20, "domain": 11, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "671 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "crowdstrike-office365.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "crowdstrike-office365.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780227619.0289881 }