{ "type": "Domain", "indicator": "crysome.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/crysome.net", "alexa": "http://www.alexa.com/siteinfo/crysome.net", "indicator": "crysome.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4285300876, "indicator": "crysome.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69cbf2e4685c6f31a7715a5f", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.", "modified": "2026-03-31T18:40:20.366000", "created": "2026-03-31T16:14:28.748000", "tags": [ "rat", ".net", "stealth", "c#", "remote access", "credential theft", "defense evasion", "crysome rat", "hvnc", "persistence", "avkiller" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome RAT", "display_name": "CrySome RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c53aae1e6d8b8213ff9", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:55.771000", "tags": [], "references": [ "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 22, "FileHash-MD5": 7, "FileHash-SHA1": 7, "URL": 12, "hostname": 10, "domain": 9, "CVE": 12, "YARA": 6 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-05-13T11:08:51.619000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1 }, "indicator_count": 2244, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cca052ca3d74e35e1a8c15", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "", "modified": "2026-04-01T04:34:26.553000", "created": "2026-04-01T04:34:26.553000", "tags": [ "rat", ".net", "stealth", "c#", "remote access", "credential theft", "defense evasion", "crysome rat", "hvnc", "persistence", "avkiller" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome RAT", "display_name": "CrySome RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69cbf2e4685c6f31a7715a5f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc6158b16dc33d6f16b9b", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan - CYFIRMA", "description": "The CrySome RAT is an advanced, stealthy remote access trojan designed to survive system resets and evade detection, according to an analysis by security researchers at the Institute for Strategic Studies.", "modified": "2026-03-31T13:03:17.315000", "created": "2026-03-31T13:03:17.315000", "tags": [ "crysome", "crysome rat", "crysomerat", "windows", "hvnc", "avkiller", "powershell", "ifeo", "avkiller module", "control", "persistence", "bsod", "beyond", "desktop", "defender", "stealth", "path", "rats", "sabotage", "install", "spynet", "telegram", "date" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome", "display_name": "CrySome", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c9618feba97c3f25b8456b", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "CrySome is an advanced .NET Remote Access Trojan (RAT) engineered to establish a persistent command-and-control (C2) channel over TCP, enabling comprehensive control over compromised devices. It exhibits an array of functionalities, including command execution, file manipulation, surveillance, and credential theft, but is particularly noted for its sophisticated persistence, anti-removal features, and evasion tactics.", "modified": "2026-03-29T17:29:51.203000", "created": "2026-03-29T17:29:51.203000", "tags": [ "crysome", "crysome rat", "crysomerat", "windows", "hvnc", "avkiller", "powershell", "ifeo", "avkiller module", "control", "persistence", "bsod", "beyond", "desktop", "defender", "stealth", "path", "rats", "sabotage", "install", "spynet", "telegram", "date" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome", "display_name": "CrySome", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan", "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/", "IOCs.2026.pdf", "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Crysome rat" ], "industries": [] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT" ], "malware_families": [ "Crysome", "Crysome rat" ], "industries": [ "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69cbf2e4685c6f31a7715a5f", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.", "modified": "2026-03-31T18:40:20.366000", "created": "2026-03-31T16:14:28.748000", "tags": [ "rat", ".net", "stealth", "c#", "remote access", "credential theft", "defense evasion", "crysome rat", "hvnc", "persistence", "avkiller" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome RAT", "display_name": "CrySome RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a82c53aae1e6d8b8213ff9", "name": "TTB-Chained (Tehran-Transversal Belasco Chain)", "description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos", "modified": "2026-05-31T01:02:14", "created": "2026-03-04T12:57:55.771000", "tags": [], "references": [ "https://viz.greynoise.io/ip/analysis/bdc9bb74-09d0-4c5f-8b1a-b50" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 22, "FileHash-MD5": 7, "FileHash-SHA1": 7, "URL": 12, "hostname": 10, "domain": 9, "CVE": 12, "YARA": 6 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699e76bb092a7cadf2ef9ddd", "name": "DEFENDER's TI (Compiled)", "description": "This pulse contains IOC's shared by Defender in the Threat Analytics blogs and more.", "modified": "2026-05-13T11:08:51.619000", "created": "2026-02-25T04:12:43.120000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sharkstriker_soc", "id": "139120", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 68, "hostname": 389, "FileHash-MD5": 332, "FileHash-SHA1": 326, "FileHash-SHA256": 1063, "email": 1 }, "indicator_count": 2244, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cca052ca3d74e35e1a8c15", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "", "modified": "2026-04-01T04:34:26.553000", "created": "2026-04-01T04:34:26.553000", "tags": [ "rat", ".net", "stealth", "c#", "remote access", "credential theft", "defense evasion", "crysome rat", "hvnc", "persistence", "avkiller" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome RAT", "display_name": "CrySome RAT", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69cbf2e4685c6f31a7715a5f", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cbc6158b16dc33d6f16b9b", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan - CYFIRMA", "description": "The CrySome RAT is an advanced, stealthy remote access trojan designed to survive system resets and evade detection, according to an analysis by security researchers at the Institute for Strategic Studies.", "modified": "2026-03-31T13:03:17.315000", "created": "2026-03-31T13:03:17.315000", "tags": [ "crysome", "crysome rat", "crysomerat", "windows", "hvnc", "avkiller", "powershell", "ifeo", "avkiller module", "control", "persistence", "bsod", "beyond", "desktop", "defender", "stealth", "path", "rats", "sabotage", "install", "spynet", "telegram", "date" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome", "display_name": "CrySome", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c9618feba97c3f25b8456b", "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "description": "CrySome is an advanced .NET Remote Access Trojan (RAT) engineered to establish a persistent command-and-control (C2) channel over TCP, enabling comprehensive control over compromised devices. It exhibits an array of functionalities, including command execution, file manipulation, surveillance, and credential theft, but is particularly noted for its sophisticated persistence, anti-removal features, and evasion tactics.", "modified": "2026-03-29T17:29:51.203000", "created": "2026-03-29T17:29:51.203000", "tags": [ "crysome", "crysome rat", "crysomerat", "windows", "hvnc", "avkiller", "powershell", "ifeo", "avkiller module", "control", "persistence", "bsod", "beyond", "desktop", "defender", "stealth", "path", "rats", "sabotage", "install", "spynet", "telegram", "date" ], "references": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CrySome", "display_name": "CrySome", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "crysome.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "crysome.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200770.692901 }