{ "type": "Domain", "indicator": "delete.me", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/delete.me", "alexa": "http://www.alexa.com/siteinfo/delete.me", "indicator": "delete.me", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3629560213, "indicator": "delete.me", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "691b65be81167e8300b087de", "name": "Cat's Got Your Files: Lynx Ransomware", "description": "A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed AnyDesk for persistence. Over nine days, the actor conducted extensive network reconnaissance using SoftPerfect NetScan and NetExec, mapped virtualization infrastructure, and browsed file shares. They exfiltrated sensitive data from multiple shares using temp.sh. On the final day, the actor connected to backup servers, deleted backup jobs, and deployed Lynx ransomware across multiple servers. The intrusion lasted 178 hours and leveraged compromised domain admin credentials throughout.", "modified": "2025-12-17T18:02:45.776000", "created": "2025-11-17T18:13:18.402000", "tags": [ "network reconnaissance", "lynx ransomware", "rdp", "backup deletion", "credential abuse", "data exfiltration", "ransomware", "lateral movement" ], "references": [ "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 387185, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682aeeb0cc1b99346ea53ce7", "name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware", "description": "A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like Mimikatz. They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, on key servers approximately 62 hours after initial access. While ransomware was deployed and some logs deleted, no significant data exfiltration was observed.", "modified": "2025-06-18T08:01:51.853000", "created": "2025-05-19T08:41:19.537000", "tags": [ "metasploit", "ransomware", "cve-2021-34527", "mimikatz", "cve-2020-1472", "cve-2023-22527", "elpaco-team", "confluence" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware" ], "public": 1, "adversary": "ELPACO-team", "targeted_countries": [], "malware_families": [ { "id": "ELPACO-team", "display_name": "ELPACO-team", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 29, "domain": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 387181, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce349a964f9f09f38babbc", "name": "Facebook Warns Users After Adobe Breach – Krebs on Security", "description": "The following is a guide to key key information found in the 2013 Adobe data leak, as well as the key details of key passwords and other key data, which were leaked to the public and shared online.- they clue was in the oa oa (auth) / or oa (adobe office) - more to come.", "modified": "2026-05-02T00:08:01.198000", "created": "2026-04-02T09:19:22.046000", "tags": [ "graham cluley", "adobe", "factors", "codebook", "2 list", "ecb mode", "triple des", "key strings", "facebook", "nancarrow", "adobe data", "jay nancarrow", "paul ducklin", "sophos", "adobe account", "update", "sunday", "woopie", "\u2019m", "hummmmmm", "been", "guardio", "password", "sponsored get", "me api", "out dashboard", "october", "recommended", "actions", "adobe breach", "levelblue", "alienvault", "enter", "otx platform", "electronic", "adobe ecb", "unix", "usenet", "said", "stanford", "msdos", "lisp", "sail", "teco", "hacker", "term", "stack", "core", "hack", "flame", "worm", "uucp", "acronym", "crunch", "shell", "advent", "close", "choke", "crash", "demon", "phase", "eris", "glitch", "hello", "trash", "open", "nanobot", "magic", "cracker", "blast", "burn", "cray", "bogus", "bounce", "meta", "copyleft", "dragon", "phantom", "mango", "iron", "waldo", "funky", "grovel", "rogue", "life", "back", "slime", "knight", "spin", "chad", "cookie", "empire", "discord", "flytrap", "june", "problem", "mutter", "tick", "storm", "music", "trivial", "push", "window", "drives", "jack", "yoyo", "general", "dirty", "ping", "benchmark", "shift", "blazer", "false", "damage", "horror", "tron", "anchor", "download", "snoopy", "enterprise", "mind", "epsilon", "chaos", "beep", "ding", "finger", "parody", "fool", "footprint", "lightning", "grep", "grok", "orig", "hair", "february", "razor", "hook", "this", "green", "warner", "lexer", "code", "blank", "mars", "bach", "xenon", "mensa", "police", "nethack", "mark", "path", "silly", "nuke", "find", "panic", "patch", "compiler", "friday", "prowler", "drop", "school", "beast", "rape", "comment", "simple", "small", "infinity", "terminal", "wallpaper", "zero", "zombie", "loader", "diablo", "wormhole", "write", "anime", "google", "creek", "save saved", "palo alto", "reviews google", "reviews", "rate", "review", "adobe creek", "wabbit", "multics", "gedanken", "file", "jargon file", "english", "next", "previous", "steele1983", "writing style", "format", "bill", "april", "explorer", "chon", "loud", "swedish", "philadelphia", "postscript", "jonl", "system", "pdp10", "uncle gaylord", "el camino", "bits", "bugs", "error", "losers", "alphabet", "alpha", "venus", "star", "period", "delta", "shoe", "galileo", "movie", "coke", "ravs", "murphy", "beethoven", "never", "generator", "august", "ginger", "hacked", "tech", "energy", "abagnale", "main official", "publications", "tips", "list", "privacy guard", "partner", "3 notable", "hacks", "frauds", "algorithm", "key identifier", "x509v3 subject", "thumbprint", "v3 serial", "number", "cus ogoogle", "trust", "cnwr3 validity", "subject public" ], "references": [ "https://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/", "https://haveibeenpwned.com/breach/Adobe", "https://magic-cookie.co.uk/jargon/jarg211/jargon.htm#:~:text=terminate%20a%20conversation.%20Typical%20examples%20involve%20WIN%2C,flame.%22%20%22Boy%2C%20what%20a%20bagbiter!%20Chomp%2C%20chomp!%22", "https://www.google.com/viewer/place?mid=/m/0805kv4&sa=X&ved=2ahUKEwifwpDL186TAxVWlYkEHfhkM8wQqdYPegQIBhAG", "https://www.netmeister.org/news/jargon.html", "http://xahlee.info/comp/the_jargon_file.html" ], "public": 1, "adversary": "Woopie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Hummmmmm", "display_name": "Hummmmmm", "target": null }, { "id": "WABBIT", "display_name": "WABBIT", "target": null }, { "id": "MULTICS", "display_name": "MULTICS", "target": null }, { "id": "GEDANKEN", "display_name": "GEDANKEN", "target": null }, { "id": "Usenet", "display_name": "Usenet", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Defense", "Gas" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 23, "hostname": 30, "email": 27, "FileHash-SHA256": 102, "FileHash-MD5": 2, "FileHash-SHA1": 36 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce347222098a7c1739af70", "name": "Facebook Warns Users After Adobe Breach – Krebs on Security", "description": "The following is a guide to key key information found in the 2013 Adobe data leak, as well as the key details of key passwords and other key data, which were leaked to the public and shared online.- they clue was in the oa oa (auth) / or oa (adobe office) - more to come.", "modified": "2026-05-02T00:08:01.198000", "created": "2026-04-02T09:18:42.940000", "tags": [ "graham cluley", "adobe", "factors", "codebook", "2 list", "ecb mode", "triple des", "key strings", "facebook", "nancarrow", "adobe data", "jay nancarrow", "paul ducklin", "sophos", "adobe account", "update", "sunday", "woopie", "\u2019m", "hummmmmm", "been", "guardio", "password", "sponsored get", "me api", "out dashboard", "october", "recommended", "actions", "adobe breach", "levelblue", "alienvault", "enter", "otx platform", "electronic", "adobe ecb", "unix", "usenet", "said", "stanford", "msdos", "lisp", "sail", "teco", "hacker", "term", "stack", "core", "hack", "flame", "worm", "uucp", "acronym", "crunch", "shell", "advent", "close", "choke", "crash", "demon", "phase", "eris", "glitch", "hello", "trash", "open", "nanobot", "magic", "cracker", "blast", "burn", "cray", "bogus", "bounce", "meta", "copyleft", "dragon", "phantom", "mango", "iron", "waldo", "funky", "grovel", "rogue", "life", "back", "slime", "knight", "spin", "chad", "cookie", "empire", "discord", "flytrap", "june", "problem", "mutter", "tick", "storm", "music", "trivial", "push", "window", "drives", "jack", "yoyo", "general", "dirty", "ping", "benchmark", "shift", "blazer", "false", "damage", "horror", "tron", "anchor", "download", "snoopy", "enterprise", "mind", "epsilon", "chaos", "beep", "ding", "finger", "parody", "fool", "footprint", "lightning", "grep", "grok", "orig", "hair", "february", "razor", "hook", "this", "green", "warner", "lexer", "code", "blank", "mars", "bach", "xenon", "mensa", "police", "nethack", "mark", "path", "silly", "nuke", "find", "panic", "patch", "compiler", "friday", "prowler", "drop", "school", "beast", "rape", "comment", "simple", "small", "infinity", "terminal", "wallpaper", "zero", "zombie", "loader", "diablo", "wormhole", "write", "anime", "google", "creek", "save saved", "palo alto", "reviews google", "reviews", "rate", "review", "adobe creek", "wabbit", "multics", "gedanken", "file", "jargon file", "english", "next", "previous", "steele1983", "writing style", "format", "bill", "april", "explorer", "chon", "loud", "swedish", "philadelphia", "postscript", "jonl", "system", "pdp10", "uncle gaylord", "el camino", "bits", "bugs", "error", "losers", "alphabet", "alpha", "venus", "star", "period", "delta", "shoe", "galileo", "movie", "coke", "ravs", "murphy", "beethoven", "never", "generator", "august", "ginger", "hacked", "tech", "energy", "abagnale", "main official", "publications", "tips", "list", "privacy guard", "partner", "3 notable", "hacks", "frauds", "algorithm", "key identifier", "x509v3 subject", "thumbprint", "v3 serial", "number", "cus ogoogle", "trust", "cnwr3 validity", "subject public" ], "references": [ "https://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/", "https://haveibeenpwned.com/breach/Adobe", "https://magic-cookie.co.uk/jargon/jarg211/jargon.htm#:~:text=terminate%20a%20conversation.%20Typical%20examples%20involve%20WIN%2C,flame.%22%20%22Boy%2C%20what%20a%20bagbiter!%20Chomp%2C%20chomp!%22", "https://www.google.com/viewer/place?mid=/m/0805kv4&sa=X&ved=2ahUKEwifwpDL186TAxVWlYkEHfhkM8wQqdYPegQIBhAG", "https://www.netmeister.org/news/jargon.html", "http://xahlee.info/comp/the_jargon_file.html" ], "public": 1, "adversary": "Woopie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Hummmmmm", "display_name": "Hummmmmm", "target": null }, { "id": "WABBIT", "display_name": "WABBIT", "target": null }, { "id": "MULTICS", "display_name": "MULTICS", "target": null }, { "id": "GEDANKEN", "display_name": "GEDANKEN", "target": null }, { "id": "Usenet", "display_name": "Usenet", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Defense", "Gas" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 23, "hostname": 30, "email": 27, "FileHash-SHA256": 102, "FileHash-MD5": 2, "FileHash-SHA1": 36 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0bc8d6c219cb8f9e178d2", "name": "Attackers Exploit FortiGate Edge Devices to Breach Enterprise Networks", "description": "SentinelOne is the world\u2019s leading provider of artificial intelligence-powered security solutions, with the launch of Singularity XDR at the RSAC\u2122 2026 Conference in Las Vegas, USA.", "modified": "2026-04-10T00:22:59.717000", "created": "2026-03-11T00:51:25.884000", "tags": [ "incident", "c2 domain", "fortigate", "java", "account", "urls https", "pulseway rmm", "account names", "created", "threat actor", "siem", "ip address", "fortinet", "february", "iocs", "meshagent", "event id", "spns", "powershell", "ukraine", "tools", "service" ], "references": [ "https://www.sentinelone.com/blog/fortigate-edge-intrusions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "CVE": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d662359a87a337eff8e84", "name": "Cat\u2019s Got Your Files: Lynx Ransomware", "description": "A look back at the Lynx ransomware intrusion from March 2025 to November 19, 2025, and the details of the malware\u2019s time-to-ransomware deployment and how it unfolded.", "modified": "2025-12-19T06:03:21.189000", "created": "2025-11-19T06:39:31.108000", "tags": [ "netscan", "ip address", "netexec", "lookalike", "remote desktop", "scanner", "opens", "lynx ransomware", "users", "rdp session", "anydesk", "ransomware", "metasploit", "shell", "service", "cobalt strike", "sliver", "powershell", "malware", "hypervisor", "bloodhound", "false", "empire", "exploit", "august", "model", "local", "impact", "facebook", "info", "lynx" ], "references": [ "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Lynx", "display_name": "Lynx", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863ce4bf9ce996080883327", "name": "Hide Your RDP: Password Spray Leads to RansomHub Deployment – The DFIR Report", "description": "", "modified": "2025-07-31T12:04:23.670000", "created": "2025-07-01T12:02:19.963000", "tags": [ "redacted date", "redacted time", "advanced ip", "mimikatz", "scanner", "sysmon event", "handler", "splashtop", "netscan", "rclone", "service", "lsass", "nirsoft", "powershell", "shell", "impact", "june", "cobalt strike", "metasploit", "sliver", "tools", "ransomware", "desktop", "rats", "pass", "model", "execution", "hacktool", "facebook" ], "references": [ "https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682b610eef5809c18a12f700", "name": "ELPACO-team Ransomware Exploits Confluence Vulnerability (CVE-2023-22527)", "description": "On May 19, 2025, a detailed report revealed that the ELPACO-team ransomware exploited a known vulnerability (CVE-2023-22527) in an internet-facing Confluence server. The attackers used this vulnerability to gain remote code execution, followed by a series of automated commands to install AnyDesk, create admin users, and enable RDP. Tools like Mimikatz and ProcessHacker were employed to harvest credentials, culminating in the deployment of the ELPACO-team ransomware, a variant of Mimic ransomware. Despite the deployment of ransomware and deletion of some event logs, no significant data exfiltration was observed.", "modified": "2025-06-18T16:02:44.509000", "created": "2025-05-19T16:49:18.412000", "tags": [ "anydesk", "ip address", "mimikatz", "metasploit", "sysmon", "confluence", "cve202322527", "sigma", "et exploit", "whoami", "meterpreter", "hacktool", "cobalt strike", "netscan", "impacket", "lsass", "service", "june", "path", "sliver", "execution", "persistence", "desktop", "python", "noname", "cloud", "virustotal", "powershell", "defendercontrol", "phase", "impact", "shell", "facebook", "blackbasta", "rpcss", "mimic" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "RPCSS", "display_name": "RPCSS", "target": null }, { "id": "Mimic", "display_name": "Mimic", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 4 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682afe31c17aec1131aaf968", "name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware – The DFIR Report", "description": "As part of our series of real-life security reports, we look back at a case in which a Confluence server was compromised and fell to ELPACO-team ransomware in May 2025.", "modified": "2025-06-18T09:03:17.225000", "created": "2025-05-19T09:47:28.407000", "tags": [ "anydesk", "ip address", "mimikatz", "metasploit", "sysmon", "confluence", "cve202322527", "sigma", "et exploit", "whoami", "meterpreter", "hacktool", "cobalt strike", "netscan", "impacket", "lsass", "service", "june", "path", "sliver", "execution", "persistence", "desktop", "python", "noname", "cloud", "virustotal", "powershell", "defendercontrol", "phase", "impact", "shell", "facebook", "blackbasta", "rpcss", "mimic" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#initial-access" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "RPCSS", "display_name": "RPCSS", "target": null }, { "id": "Mimic", "display_name": "Mimic", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ahyka123", "id": "254370", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 4 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bdce2672af86eb5c09fa22", "name": "Confluence Exploit Leads to LockBit Ransomware – The DFIR Report", "description": "Here is the full report from the Department of Defense Intelligence (DFIR) on an attack on a Windows server in 2025, which led to the deployment of LockBit ransomware and the installation of AnyDesk.", "modified": "2025-03-27T13:04:22.643000", "created": "2025-02-25T14:05:26.705000", "tags": [ "threattype/Ransomware", "threattype/Vulnerability Exploitation", "threattype/Malware", "kevc/Atlassian Confluence Data Center and Server CVE-2023-22527", "threattype/Data Exfiltration", "malware/Lockbit", "malware/Metasploit", "malware/Mimikatz", "malware/AnyDesk", "malware/RClone", "malware/PDQDeploy", "malware/SoftPerfect Network Scanner", "Industries/All Industries" ], "references": [ "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Metasploit", "display_name": "Metasploit", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "MimiKatz", "display_name": "MimiKatz", "target": null }, { "id": "AnyDesk", "display_name": "AnyDesk", "target": null }, { "id": "SoftPerfect Network Scanner", "display_name": "SoftPerfect Network Scanner", "target": null }, { "id": "PDQDeploy", "display_name": "PDQDeploy", "target": null }, { "id": "RClone", "display_name": "RClone", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 4 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bd4d45146c40e347af94d2", "name": "Confluence Exploit Leads to LockBit Ransomware – The DFIR Report", "description": "", "modified": "2025-03-27T04:00:07.838000", "created": "2025-02-25T04:55:33.877000", "tags": [ "pdq deploy", "anydesk", "rclone", "powershell", "mimikatz", "windows event", "discovery", "cve202322527", "command", "execution", "metasploit", "netscan", "lockbit", "download", "shell", "impact", "ransom", "cobalt strike", "sliver", "ransomware", "february", "meterpreter", "virustotal", "model", "atomic", "generic", "hacktool", "write", "service" ], "references": [ "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bc6eace8ba98ebba263195", "name": "Confluence Exploit Leads to LockBit Ransomware – The DFIR Report", "description": "Here is the full report from the Department of Defense Intelligence (DFIR) on an attack on a SoftPerfect server in 2025, which led to the deployment of LockBit ransomware across the environment.", "modified": "2025-03-26T13:02:09.076000", "created": "2025-02-24T13:05:48.184000", "tags": [], "references": [ "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null }, { "id": "ShadowSyndicate", "display_name": "ShadowSyndicate", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "434 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b7cf6e769fdeee59a49df6", "name": " Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - The DFIR Repor", "description": "", "modified": "2024-02-28T12:01:37.210000", "created": "2024-01-29T16:16:46.412000", "tags": [ "remote desktop", "reg add", "regdword", "netscan", "ip address", "trigona", "rdpgroup", "snap2html", "protocol", "rdp connection", "cobalt strike", "find", "psexec", "metasploit", "sliver", "viper", "havoc", "meterpreter", "ukraine", "powershell", "service", "defender", "mega", "june", "model", "atomic", "execution", "impact", "desktop users" ], "references": [ "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/" ], "public": 1, "adversary": "Desktop Users", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Trigona", "display_name": "Trigona", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": "65b794dc6c08cd3a2f403f44", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 3 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "826 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b794dc6c08cd3a2f403f44", "name": "Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - The DFIR Report", "description": "Here is a selection of highlights from SoftPerfect\u2019s 2016 report on the Trigona ransomware, which was deployed on Christmas Eve and spread across the entire network by the same threat actor.", "modified": "2024-02-28T12:01:37.210000", "created": "2024-01-29T12:06:52.710000", "tags": [ "remote desktop", "reg add", "regdword", "netscan", "ip address", "trigona", "rdpgroup", "snap2html", "protocol", "rdp connection", "cobalt strike", "find", "psexec", "metasploit", "sliver", "viper", "havoc", "meterpreter", "ukraine", "powershell", "service", "defender", "mega", "june", "model", "atomic", "execution", "impact", "desktop users" ], "references": [ "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/" ], "public": 1, "adversary": "Desktop Users", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Trigona", "display_name": "Trigona", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 3 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "826 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b78331ba7a94d6fd9ce5c4", "name": "Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - The DFIR Report", "description": "Here is a selection of highlights from SoftPerfect\u2019s 2016 report on the Trigona ransomware, which was deployed on Christmas Eve and spread across the entire network by the same threat actor.", "modified": "2024-02-28T10:03:07.091000", "created": "2024-01-29T10:51:29.931000", "tags": [ "remote desktop", "reg add", "regdword", "netscan", "ip address", "trigona", "rdpgroup", "snap2html", "protocol", "rdp connection", "cobalt strike", "find", "psexec", "metasploit", "sliver", "viper", "havoc", "meterpreter", "ukraine", "powershell", "service", "defender", "mega", "june", "model", "atomic", "execution", "impact", "desktop users" ], "references": [ "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/" ], "public": 1, "adversary": "Desktop Users", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Trigona", "display_name": "Trigona", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChaiPatti", "id": "217274", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217274/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 3 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "826 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware", "https://magic-cookie.co.uk/jargon/jarg211/jargon.htm#:~:text=terminate%20a%20conversation.%20Typical%20examples%20involve%20WIN%2C,flame.%22%20%22Boy%2C%20what%20a%20bagbiter!%20Chomp%2C%20chomp!%22", "http://xahlee.info/comp/the_jargon_file.html", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.google.com/viewer/place?mid=/m/0805kv4&sa=X&ved=2ahUKEwifwpDL186TAxVWlYkEHfhkM8wQqdYPegQIBhAG", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "IOCs.2026.3.csv", "https://www.netmeister.org/news/jargon.html", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/", "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/", "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#initial-access", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://haveibeenpwned.com/breach/Adobe", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/", "https://www.sentinelone.com/blog/fortigate-edge-intrusions/", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/" ], "related": { "alienvault": { "adversary": [ "ELPACO-team" ], "malware_families": [ "Elpaco-team" ], "industries": [] }, "other": { "adversary": [ "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "Black Basta", "Desktop Users", "Woopie" ], "malware_families": [ "Black basta", "Lynx", "Conti", "Mimikatz", "Behavior:win32/basta", "Trigona", "Anydesk", "Trojandropper:powershell/cobacis", "Trojan: win32/systembc", "Trojan:win32/basta", "Lockbit", "Blackbasta", "Rclone", "Qakbot", "Gedanken", "Netsupport", "Trojanspy:win32/qakbot", "\u2019m", "Behavior:win32/cobaltstrike", "Meterpreter", "Shadowsyndicate", "Qbot", "Cobalt strike", "Softperfect network scanner", "Info", "Mimic", "Rpcss", "Trojandownloader:o97m/qakbot", "Behavior:win32/qakbot", "Basta linux", "Trojan:win32/qakbot", "Metasploit", "Exploit:win32/shellcode.bn", "Usenet", "Backdoor:win64/cobaltstrike", "Behavior:win32/systembc", "Pdqdeploy", "Trojan:win32/qbot", "Primary netsupport", "Multics", "Hacktool:win64/cobaltstrike", "Ransom:win32/basta", "Widespread qbot", "Hummmmmm", "Wabbit", "Trojan:win64/turtleloader.cs" ], "industries": [ "Technology", "Finance", "Critical infrastructure", "Emergency services", "Construction", "Gas", "Transportation", "Defense", "Retail", "Manufacturing", "Media", "Legal", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "691b65be81167e8300b087de", "name": "Cat's Got Your Files: Lynx Ransomware", "description": "A threat actor gained initial access to a network via RDP using compromised credentials, likely obtained through an infostealer, data breach, or initial access broker. They quickly moved laterally to a domain controller, created multiple impersonation accounts with high privileges, and installed AnyDesk for persistence. Over nine days, the actor conducted extensive network reconnaissance using SoftPerfect NetScan and NetExec, mapped virtualization infrastructure, and browsed file shares. They exfiltrated sensitive data from multiple shares using temp.sh. On the final day, the actor connected to backup servers, deleted backup jobs, and deployed Lynx ransomware across multiple servers. The intrusion lasted 178 hours and leveraged compromised domain admin credentials throughout.", "modified": "2025-12-17T18:02:45.776000", "created": "2025-11-17T18:13:18.402000", "tags": [ "network reconnaissance", "lynx ransomware", "rdp", "backup deletion", "credential abuse", "data exfiltration", "ransomware", "lateral movement" ], "references": [ "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 387185, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682aeeb0cc1b99346ea53ce7", "name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware", "description": "A threat actor exploited an unpatched Confluence server using CVE-2023-22527, gaining initial access. They used Metasploit for command and control, then installed AnyDesk for persistent remote access. The attacker performed extensive network discovery, attempted privilege escalation using various techniques, and harvested credentials with tools like Mimikatz. They moved laterally using compromised domain admin credentials, accessing multiple systems via RDP and WMI. The intrusion culminated in the deployment of ELPACO-team ransomware, a Mimic variant, on key servers approximately 62 hours after initial access. While ransomware was deployed and some logs deleted, no significant data exfiltration was observed.", "modified": "2025-06-18T08:01:51.853000", "created": "2025-05-19T08:41:19.537000", "tags": [ "metasploit", "ransomware", "cve-2021-34527", "mimikatz", "cve-2020-1472", "cve-2023-22527", "elpaco-team", "confluence" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware" ], "public": 1, "adversary": "ELPACO-team", "targeted_countries": [], "malware_families": [ { "id": "ELPACO-team", "display_name": "ELPACO-team", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 29, "domain": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 387181, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce349a964f9f09f38babbc", "name": "Facebook Warns Users After Adobe Breach – Krebs on Security", "description": "The following is a guide to key key information found in the 2013 Adobe data leak, as well as the key details of key passwords and other key data, which were leaked to the public and shared online.- they clue was in the oa oa (auth) / or oa (adobe office) - more to come.", "modified": "2026-05-02T00:08:01.198000", "created": "2026-04-02T09:19:22.046000", "tags": [ "graham cluley", "adobe", "factors", "codebook", "2 list", "ecb mode", "triple des", "key strings", "facebook", "nancarrow", "adobe data", "jay nancarrow", "paul ducklin", "sophos", "adobe account", "update", "sunday", "woopie", "\u2019m", "hummmmmm", "been", "guardio", "password", "sponsored get", "me api", "out dashboard", "october", "recommended", "actions", "adobe breach", "levelblue", "alienvault", "enter", "otx platform", "electronic", "adobe ecb", "unix", "usenet", "said", "stanford", "msdos", "lisp", "sail", "teco", "hacker", "term", "stack", "core", "hack", "flame", "worm", "uucp", "acronym", "crunch", "shell", "advent", "close", "choke", "crash", "demon", "phase", "eris", "glitch", "hello", "trash", "open", "nanobot", "magic", "cracker", "blast", "burn", "cray", "bogus", "bounce", "meta", "copyleft", "dragon", "phantom", "mango", "iron", "waldo", "funky", "grovel", "rogue", "life", "back", "slime", "knight", "spin", "chad", "cookie", "empire", "discord", "flytrap", "june", "problem", "mutter", "tick", "storm", "music", "trivial", "push", "window", "drives", "jack", "yoyo", "general", "dirty", "ping", "benchmark", "shift", "blazer", "false", "damage", "horror", "tron", "anchor", "download", "snoopy", "enterprise", "mind", "epsilon", "chaos", "beep", "ding", "finger", "parody", "fool", "footprint", "lightning", "grep", "grok", "orig", "hair", "february", "razor", "hook", "this", "green", "warner", "lexer", "code", "blank", "mars", "bach", "xenon", "mensa", "police", "nethack", "mark", "path", "silly", "nuke", "find", "panic", "patch", "compiler", "friday", "prowler", "drop", "school", "beast", "rape", "comment", "simple", "small", "infinity", "terminal", "wallpaper", "zero", "zombie", "loader", "diablo", "wormhole", "write", "anime", "google", "creek", "save saved", "palo alto", "reviews google", "reviews", "rate", "review", "adobe creek", "wabbit", "multics", "gedanken", "file", "jargon file", "english", "next", "previous", "steele1983", "writing style", "format", "bill", "april", "explorer", "chon", "loud", "swedish", "philadelphia", "postscript", "jonl", "system", "pdp10", "uncle gaylord", "el camino", "bits", "bugs", "error", "losers", "alphabet", "alpha", "venus", "star", "period", "delta", "shoe", "galileo", "movie", "coke", "ravs", "murphy", "beethoven", "never", "generator", "august", "ginger", "hacked", "tech", "energy", "abagnale", "main official", "publications", "tips", "list", "privacy guard", "partner", "3 notable", "hacks", "frauds", "algorithm", "key identifier", "x509v3 subject", "thumbprint", "v3 serial", "number", "cus ogoogle", "trust", "cnwr3 validity", "subject public" ], "references": [ "https://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/", "https://haveibeenpwned.com/breach/Adobe", "https://magic-cookie.co.uk/jargon/jarg211/jargon.htm#:~:text=terminate%20a%20conversation.%20Typical%20examples%20involve%20WIN%2C,flame.%22%20%22Boy%2C%20what%20a%20bagbiter!%20Chomp%2C%20chomp!%22", "https://www.google.com/viewer/place?mid=/m/0805kv4&sa=X&ved=2ahUKEwifwpDL186TAxVWlYkEHfhkM8wQqdYPegQIBhAG", "https://www.netmeister.org/news/jargon.html", "http://xahlee.info/comp/the_jargon_file.html" ], "public": 1, "adversary": "Woopie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Hummmmmm", "display_name": "Hummmmmm", "target": null }, { "id": "WABBIT", "display_name": "WABBIT", "target": null }, { "id": "MULTICS", "display_name": "MULTICS", "target": null }, { "id": "GEDANKEN", "display_name": "GEDANKEN", "target": null }, { "id": "Usenet", "display_name": "Usenet", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Defense", "Gas" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 23, "hostname": 30, "email": 27, "FileHash-SHA256": 102, "FileHash-MD5": 2, "FileHash-SHA1": 36 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce347222098a7c1739af70", "name": "Facebook Warns Users After Adobe Breach – Krebs on Security", "description": "The following is a guide to key key information found in the 2013 Adobe data leak, as well as the key details of key passwords and other key data, which were leaked to the public and shared online.- they clue was in the oa oa (auth) / or oa (adobe office) - more to come.", "modified": "2026-05-02T00:08:01.198000", "created": "2026-04-02T09:18:42.940000", "tags": [ "graham cluley", "adobe", "factors", "codebook", "2 list", "ecb mode", "triple des", "key strings", "facebook", "nancarrow", "adobe data", "jay nancarrow", "paul ducklin", "sophos", "adobe account", "update", "sunday", "woopie", "\u2019m", "hummmmmm", "been", "guardio", "password", "sponsored get", "me api", "out dashboard", "october", "recommended", "actions", "adobe breach", "levelblue", "alienvault", "enter", "otx platform", "electronic", "adobe ecb", "unix", "usenet", "said", "stanford", "msdos", "lisp", "sail", "teco", "hacker", "term", "stack", "core", "hack", "flame", "worm", "uucp", "acronym", "crunch", "shell", "advent", "close", "choke", "crash", "demon", "phase", "eris", "glitch", "hello", "trash", "open", "nanobot", "magic", "cracker", "blast", "burn", "cray", "bogus", "bounce", "meta", "copyleft", "dragon", "phantom", "mango", "iron", "waldo", "funky", "grovel", "rogue", "life", "back", "slime", "knight", "spin", "chad", "cookie", "empire", "discord", "flytrap", "june", "problem", "mutter", "tick", "storm", "music", "trivial", "push", "window", "drives", "jack", "yoyo", "general", "dirty", "ping", "benchmark", "shift", "blazer", "false", "damage", "horror", "tron", "anchor", "download", "snoopy", "enterprise", "mind", "epsilon", "chaos", "beep", "ding", "finger", "parody", "fool", "footprint", "lightning", "grep", "grok", "orig", "hair", "february", "razor", "hook", "this", "green", "warner", "lexer", "code", "blank", "mars", "bach", "xenon", "mensa", "police", "nethack", "mark", "path", "silly", "nuke", "find", "panic", "patch", "compiler", "friday", "prowler", "drop", "school", "beast", "rape", "comment", "simple", "small", "infinity", "terminal", "wallpaper", "zero", "zombie", "loader", "diablo", "wormhole", "write", "anime", "google", "creek", "save saved", "palo alto", "reviews google", "reviews", "rate", "review", "adobe creek", "wabbit", "multics", "gedanken", "file", "jargon file", "english", "next", "previous", "steele1983", "writing style", "format", "bill", "april", "explorer", "chon", "loud", "swedish", "philadelphia", "postscript", "jonl", "system", "pdp10", "uncle gaylord", "el camino", "bits", "bugs", "error", "losers", "alphabet", "alpha", "venus", "star", "period", "delta", "shoe", "galileo", "movie", "coke", "ravs", "murphy", "beethoven", "never", "generator", "august", "ginger", "hacked", "tech", "energy", "abagnale", "main official", "publications", "tips", "list", "privacy guard", "partner", "3 notable", "hacks", "frauds", "algorithm", "key identifier", "x509v3 subject", "thumbprint", "v3 serial", "number", "cus ogoogle", "trust", "cnwr3 validity", "subject public" ], "references": [ "https://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/", "https://haveibeenpwned.com/breach/Adobe", "https://magic-cookie.co.uk/jargon/jarg211/jargon.htm#:~:text=terminate%20a%20conversation.%20Typical%20examples%20involve%20WIN%2C,flame.%22%20%22Boy%2C%20what%20a%20bagbiter!%20Chomp%2C%20chomp!%22", "https://www.google.com/viewer/place?mid=/m/0805kv4&sa=X&ved=2ahUKEwifwpDL186TAxVWlYkEHfhkM8wQqdYPegQIBhAG", "https://www.netmeister.org/news/jargon.html", "http://xahlee.info/comp/the_jargon_file.html" ], "public": 1, "adversary": "Woopie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null }, { "id": "Hummmmmm", "display_name": "Hummmmmm", "target": null }, { "id": "WABBIT", "display_name": "WABBIT", "target": null }, { "id": "MULTICS", "display_name": "MULTICS", "target": null }, { "id": "GEDANKEN", "display_name": "GEDANKEN", "target": null }, { "id": "Usenet", "display_name": "Usenet", "target": null } ], "attack_ids": [ { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Defense", "Gas" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 23, "hostname": 30, "email": 27, "FileHash-SHA256": 102, "FileHash-MD5": 2, "FileHash-SHA1": 36 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0bc8d6c219cb8f9e178d2", "name": "Attackers Exploit FortiGate Edge Devices to Breach Enterprise Networks", "description": "SentinelOne is the world\u2019s leading provider of artificial intelligence-powered security solutions, with the launch of Singularity XDR at the RSAC\u2122 2026 Conference in Las Vegas, USA.", "modified": "2026-04-10T00:22:59.717000", "created": "2026-03-11T00:51:25.884000", "tags": [ "incident", "c2 domain", "fortigate", "java", "account", "urls https", "pulseway rmm", "account names", "created", "threat actor", "siem", "ip address", "fortinet", "february", "iocs", "meshagent", "event id", "spns", "powershell", "ukraine", "tools", "service" ], "references": [ "https://www.sentinelone.com/blog/fortigate-edge-intrusions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "CVE": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "54 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d662359a87a337eff8e84", "name": "Cat\u2019s Got Your Files: Lynx Ransomware", "description": "A look back at the Lynx ransomware intrusion from March 2025 to November 19, 2025, and the details of the malware\u2019s time-to-ransomware deployment and how it unfolded.", "modified": "2025-12-19T06:03:21.189000", "created": "2025-11-19T06:39:31.108000", "tags": [ "netscan", "ip address", "netexec", "lookalike", "remote desktop", "scanner", "opens", "lynx ransomware", "users", "rdp session", "anydesk", "ransomware", "metasploit", "shell", "service", "cobalt strike", "sliver", "powershell", "malware", "hypervisor", "bloodhound", "false", "empire", "exploit", "august", "model", "local", "impact", "facebook", "info", "lynx" ], "references": [ "https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Lynx", "display_name": "Lynx", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863ce4bf9ce996080883327", "name": "Hide Your RDP: Password Spray Leads to RansomHub Deployment – The DFIR Report", "description": "", "modified": "2025-07-31T12:04:23.670000", "created": "2025-07-01T12:02:19.963000", "tags": [ "redacted date", "redacted time", "advanced ip", "mimikatz", "scanner", "sysmon event", "handler", "splashtop", "netscan", "rclone", "service", "lsass", "nirsoft", "powershell", "shell", "impact", "june", "cobalt strike", "metasploit", "sliver", "tools", "ransomware", "desktop", "rats", "pass", "model", "execution", "hacktool", "facebook" ], "references": [ "https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 3 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682b610eef5809c18a12f700", "name": "ELPACO-team Ransomware Exploits Confluence Vulnerability (CVE-2023-22527)", "description": "On May 19, 2025, a detailed report revealed that the ELPACO-team ransomware exploited a known vulnerability (CVE-2023-22527) in an internet-facing Confluence server. The attackers used this vulnerability to gain remote code execution, followed by a series of automated commands to install AnyDesk, create admin users, and enable RDP. Tools like Mimikatz and ProcessHacker were employed to harvest credentials, culminating in the deployment of the ELPACO-team ransomware, a variant of Mimic ransomware. Despite the deployment of ransomware and deletion of some event logs, no significant data exfiltration was observed.", "modified": "2025-06-18T16:02:44.509000", "created": "2025-05-19T16:49:18.412000", "tags": [ "anydesk", "ip address", "mimikatz", "metasploit", "sysmon", "confluence", "cve202322527", "sigma", "et exploit", "whoami", "meterpreter", "hacktool", "cobalt strike", "netscan", "impacket", "lsass", "service", "june", "path", "sliver", "execution", "persistence", "desktop", "python", "noname", "cloud", "virustotal", "powershell", "defendercontrol", "phase", "impact", "shell", "facebook", "blackbasta", "rpcss", "mimic" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "RPCSS", "display_name": "RPCSS", "target": null }, { "id": "Mimic", "display_name": "Mimic", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 4 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682afe31c17aec1131aaf968", "name": "Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware – The DFIR Report", "description": "As part of our series of real-life security reports, we look back at a case in which a Confluence server was compromised and fell to ELPACO-team ransomware in May 2025.", "modified": "2025-06-18T09:03:17.225000", "created": "2025-05-19T09:47:28.407000", "tags": [ "anydesk", "ip address", "mimikatz", "metasploit", "sysmon", "confluence", "cve202322527", "sigma", "et exploit", "whoami", "meterpreter", "hacktool", "cobalt strike", "netscan", "impacket", "lsass", "service", "june", "path", "sliver", "execution", "persistence", "desktop", "python", "noname", "cloud", "virustotal", "powershell", "defendercontrol", "phase", "impact", "shell", "facebook", "blackbasta", "rpcss", "mimic" ], "references": [ "https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#initial-access" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "RPCSS", "display_name": "RPCSS", "target": null }, { "id": "Mimic", "display_name": "Mimic", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Metasploit", "display_name": "Metasploit", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ahyka123", "id": "254370", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 29, "domain": 4 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "delete.me", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "delete.me", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780521514.5381224 }