{ "type": "Domain", "indicator": "deobfuscate.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/deobfuscate.io", "alexa": "http://www.alexa.com/siteinfo/deobfuscate.io", "indicator": "deobfuscate.io", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3600795143, "indicator": "deobfuscate.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6926c81b646b18ae922d7f8d", "name": "The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk", "description": "Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.", "modified": "2025-11-26T09:56:14.094000", "created": "2025-11-26T09:27:55.622000", "tags": [ "cve-2025-27915", "macos", "balada injector", "push notifications", "calendar subscriptions", "ios", "expired domains", "social engineering", "cybersecurity" ], "references": [ "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology", "Finance", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1, "URL": 6, "domain": 12, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386457, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683ecc28d5d833c19956cbee", "name": "OtterCookie: Analysis of New Lazarus Group Malware", "description": "North Korean state-sponsored cyber-attack group Lazarus is continuing to target professionals in the tech, financial and crypto sectors with a new tool called OtterCookie, an analysis shows, including fake job offers.", "modified": "2025-07-03T10:00:53.370000", "created": "2025-06-03T10:19:20.970000", "tags": [ "ottercookie", "invisibleferret", "beavertail", "mauro eldritch", "lazarus", "eldritch", "solana", "ck matrix", "lazarus group", "javascript", "exodus", "python", "uruguay", "team", "express", "next", "anydesk", "mamona", "dprk", "exodus wallet" ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Exodus Wallet", "display_name": "Exodus Wallet", "target": null }, { "id": "Beavertail", "display_name": "Beavertail", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Financial", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "URL": 15, "domain": 3, "hostname": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826fd781ceaad59a92471f5", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline", "description": "This article provides an in-depth analysis of the Tycoon 2FA phishing kit, focusing on its continuous evolution and the sophisticated techniques it employs to bypass two-factor authentication (2FA) for Microsoft 365 and Gmail. It explores various evasion mechanisms, including code obfuscation, CAPTCHA checks, and browser fingerprinting, detailing how these methods have changed over time. The study also offers practical tips for detecting Tycoon 2FA attacks, emphasizing the importance of behavioral analysis over signature-based detection.", "modified": "2025-05-16T08:55:20.294000", "created": "2025-05-16T08:55:20.294000", "tags": [ "tycoon", "mechanism", "stage", "captcha", "shift", "april", "captchas", "mechanisms", "phaas", "tycoon2fa", "generic", "telegram", "august", "false", "model", "error", "stages", "saad tycoon" ], "references": [ "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 25, "domain": 4, "hostname": 24 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "379 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6708ddd45aaef408e51e0850", "name": "DPRK Hackers Target Tech Job Seekers Using BeaverTail and InvisibleFerret Malware", "description": "Unit 42 has identified a campaign by North Korean threat actors, named CL-STA-240 Contagious Interview, targeting job seekers in the tech industry. These attackers pose as recruiters to install malware on victims\u2019 devices. Initially reported in November 2023, this campaign has seen continued online activity and updates to two malware variants: the BeaverTail downloader and the InvisibleFerret backdoor.", "modified": "2024-11-12T13:04:39.248000", "created": "2024-10-11T08:12:04.474000", "tags": [ "beavertail", "windows", "invisibleferret", "cortex xdr", "figure", "python", "unit", "november", "july", "onder kayabasi", "protect", "twitter", "june", "august", "crypto", "sta-0240", "macos", "javascript", "qt", "beavertail windows", "invisibleferret python", "contagious interview" ], "references": [ "https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/", "https://www.travismathison.com/posts/Beavertail-and-InvisibleFerret-malware/#analyzing-the-invisibleferret-payload-script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "STA-0240", "display_name": "STA-0240", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Qt", "display_name": "Qt", "target": null }, { "id": "BeaverTail Windows", "display_name": "BeaverTail Windows", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "InvisibleFerret Python", "display_name": "InvisibleFerret Python", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 33, "URL": 2, "domain": 1 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 216, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6530cf01c7fad411c90de0e2", "name": "ClearFake: a newcomer to the \"fake updates\" threats landscape - Sekoia.io Blog", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2023-11-18T06:02:04.242000", "created": "2023-10-19T06:38:57.397000", "tags": [ "clearfake", "javascript", "september", "appx file", "hijackloader", "appx", "clearfake c2", "iocs", "socgholish", "html page", "next", "august", "raccoon", "vidar", "first", "click", "malware", "bazarbackdoor", "emotet", "danabot", "redline", "remcos", "systembc", "third", "loader", "fakesg", "magniber", "idat loader" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "FakeSG", "display_name": "FakeSG", "target": null }, { "id": "Magniber", "display_name": "Magniber", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "IDAT Loader", "display_name": "IDAT Loader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 51, "hostname": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "924 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/", "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf", "https://www.travismathison.com/posts/Beavertail-and-InvisibleFerret-malware/#analyzing-the-invisibleferret-payload-script", "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/", "https://labs.inquest.net/iocdb", "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk", "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/", "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Government", "Technology", "Education", "Finance" ] }, "other": { "adversary": [ "Saad Tycoon", "Lazarus", "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face" ], "malware_families": [ "Contagious interview", "Invisibleferret", "Exodus wallet", "Ottercookie", "Sta-0240", "Clearfake", "Beavertail", "Vidar", "Idat loader", "Beavertail windows", "Qt", "Javascript", "Invisibleferret python", "Python", "Magniber", "Lazarus", "Fakesg", "Hijackloader", "Macos", "Encrypted" ], "industries": [ "Financial", "Cryptocurrency", "Crypto" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6926c81b646b18ae922d7f8d", "name": "The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk", "description": "Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.", "modified": "2025-11-26T09:56:14.094000", "created": "2025-11-26T09:27:55.622000", "tags": [ "cve-2025-27915", "macos", "balada injector", "push notifications", "calendar subscriptions", "ios", "expired domains", "social engineering", "cybersecurity" ], "references": [ "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology", "Finance", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1, "URL": 6, "domain": 12, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386457, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683ecc28d5d833c19956cbee", "name": "OtterCookie: Analysis of New Lazarus Group Malware", "description": "North Korean state-sponsored cyber-attack group Lazarus is continuing to target professionals in the tech, financial and crypto sectors with a new tool called OtterCookie, an analysis shows, including fake job offers.", "modified": "2025-07-03T10:00:53.370000", "created": "2025-06-03T10:19:20.970000", "tags": [ "ottercookie", "invisibleferret", "beavertail", "mauro eldritch", "lazarus", "eldritch", "solana", "ck matrix", "lazarus group", "javascript", "exodus", "python", "uruguay", "team", "express", "next", "anydesk", "mamona", "dprk", "exodus wallet" ], "references": [ "https://any.run/cybersecurity-blog/ottercookie-malware-analysis/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Exodus Wallet", "display_name": "Exodus Wallet", "target": null }, { "id": "Beavertail", "display_name": "Beavertail", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Financial", "Cryptocurrency", "Crypto" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA256": 4, "URL": 15, "domain": 3, "hostname": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826fd781ceaad59a92471f5", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline", "description": "This article provides an in-depth analysis of the Tycoon 2FA phishing kit, focusing on its continuous evolution and the sophisticated techniques it employs to bypass two-factor authentication (2FA) for Microsoft 365 and Gmail. It explores various evasion mechanisms, including code obfuscation, CAPTCHA checks, and browser fingerprinting, detailing how these methods have changed over time. The study also offers practical tips for detecting Tycoon 2FA attacks, emphasizing the importance of behavioral analysis over signature-based detection.", "modified": "2025-05-16T08:55:20.294000", "created": "2025-05-16T08:55:20.294000", "tags": [ "tycoon", "mechanism", "stage", "captcha", "shift", "april", "captchas", "mechanisms", "phaas", "tycoon2fa", "generic", "telegram", "august", "false", "model", "error", "stages", "saad tycoon" ], "references": [ "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 25, "domain": 4, "hostname": 24 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "379 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6708ddd45aaef408e51e0850", "name": "DPRK Hackers Target Tech Job Seekers Using BeaverTail and InvisibleFerret Malware", "description": "Unit 42 has identified a campaign by North Korean threat actors, named CL-STA-240 Contagious Interview, targeting job seekers in the tech industry. These attackers pose as recruiters to install malware on victims\u2019 devices. Initially reported in November 2023, this campaign has seen continued online activity and updates to two malware variants: the BeaverTail downloader and the InvisibleFerret backdoor.", "modified": "2024-11-12T13:04:39.248000", "created": "2024-10-11T08:12:04.474000", "tags": [ "beavertail", "windows", "invisibleferret", "cortex xdr", "figure", "python", "unit", "november", "july", "onder kayabasi", "protect", "twitter", "june", "august", "crypto", "sta-0240", "macos", "javascript", "qt", "beavertail windows", "invisibleferret python", "contagious interview" ], "references": [ "https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/", "https://www.travismathison.com/posts/Beavertail-and-InvisibleFerret-malware/#analyzing-the-invisibleferret-payload-script" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "STA-0240", "display_name": "STA-0240", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Qt", "display_name": "Qt", "target": null }, { "id": "BeaverTail Windows", "display_name": "BeaverTail Windows", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "InvisibleFerret Python", "display_name": "InvisibleFerret Python", "target": null }, { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 33, "URL": 2, "domain": 1 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 216, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6530cf01c7fad411c90de0e2", "name": "ClearFake: a newcomer to the \"fake updates\" threats landscape - Sekoia.io Blog", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2023-11-18T06:02:04.242000", "created": "2023-10-19T06:38:57.397000", "tags": [ "clearfake", "javascript", "september", "appx file", "hijackloader", "appx", "clearfake c2", "iocs", "socgholish", "html page", "next", "august", "raccoon", "vidar", "first", "click", "malware", "bazarbackdoor", "emotet", "danabot", "redline", "remcos", "systembc", "third", "loader", "fakesg", "magniber", "idat loader" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "FakeSG", "display_name": "FakeSG", "target": null }, { "id": "Magniber", "display_name": "Magniber", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "IDAT Loader", "display_name": "IDAT Loader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 51, "hostname": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "924 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "deobfuscate.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "deobfuscate.io", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180574.4368732 }