{ "type": "Domain", "indicator": "dev-clientservice.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dev-clientservice.com", "alexa": "http://www.alexa.com/siteinfo/dev-clientservice.com", "indicator": "dev-clientservice.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2793359992, "indicator": "dev-clientservice.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "65f17f66772585fd1fd38929", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities", "description": "A financially motivated threat actor called Magnet Goblin quickly adopts and leverages 1-day vulnerabilities in public-facing services to gain initial access, including recent campaigns targeting Ivanti, Magento, and Qlik Sense. Analysis of a Linux variant of NerbianRAT malware used in attacks reveals the group's tactics.", "modified": "2024-04-12T10:00:50.959000", "created": "2024-03-13T10:26:46.138000", "tags": [ "NerbianRAT", "MiniNerbian", "Magnet Goblin", "Ivanti" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 366, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 7, "domain": 8, "hostname": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386881, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fb461800291b6741775dea", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities", "description": "", "modified": "2024-04-12T10:00:50.959000", "created": "2024-03-20T20:24:56.904000", "tags": [ "NerbianRAT", "MiniNerbian", "Magnet Goblin", "Ivanti" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" } ], "industries": [], "TLP": "white", "cloned_from": "65f17f66772585fd1fd38929", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 7, "domain": 8, "hostname": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ef25e8bf9e270fae148298", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "Check Point Research has identified a new threat actor that leverages 1-day vulnerabilities in public-facing services such as Ivanti Connect Secure VPN and Magento to deploy custom Linux backdoors.", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-11T15:40:24.134000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ef4e1568d2b25a7844748f", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-11T18:31:49.098000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "65ef25e8bf9e270fae148298", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 506, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f2a922146da15f711f3e8c", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-14T07:37:06.888000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "65ef4e1568d2b25a7844748f", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f2aa5d5904399d8676ada1", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-14T07:42:21.229000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "65f2a922146da15f711f3e8c", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eba7ae3add200c90aed834", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities", "description": "", "modified": "2024-04-08T00:01:33.958000", "created": "2024-03-09T00:04:58.671000", "tags": [ "OSINT", "CVE-2024-21887", "Ivanti", "Ivanti Connect Secure VPN", "CVE-2023-46805", "NerbianRAT", "Magento", "Qlink Sense", "Apache ActiveMQ", "WARPWIRE", "T1091 - Replication Through Removable Media", "T1059 - Command and Scripting Interpreter", "T1064 - Scripting", "T1129 - Shared Modules", "T1543.002 - Systemd Service", "T1574.001 - \t DLL Search Order Hijacking", "T1574.002 - DLL Side-Loading", "T1036 - Masquerading", "T1056 - Input Capture" ], "references": [ "https://community.riskiq.com/article/11616c16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 21, "domain": 7, "URL": 21 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632c9caf3a5c7dcb35fc7bf1", "name": "Surge in Magento 2 template attacks | Sansec", "description": "Sansec has identified a critical template vulnerability in Magento 2, which allows cyber criminals to hijack customers' credit cards and steal money from them through a Magecart system, in a series of attacks.", "modified": "2022-10-22T17:39:25.168000", "created": "2022-09-22T17:34:39.581000", "tags": [ "cve-2022-24086", "dw-osint-cib" ], "references": [ "https://sansec.io/research/magento-2-template-attacks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Retail Trade" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/", "https://community.riskiq.com/article/11616c16", "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities", "https://sansec.io/research/magento-2-template-attacks" ], "related": { "alienvault": { "adversary": [ "Magnet Goblin" ], "malware_families": [ "Warpwire", "Mininerbian", "Nerbianrat" ], "industries": [] }, "other": { "adversary": [ "Magnet Goblin" ], "malware_families": [ "Secure vpn", "Ivanti exploitation", "Windows", "Cactus", "Mininerbian", "Magento exploitation", "Nerbianrat", "Minnerbian", "Linux", "Warpwire" ], "industries": [ "Retail trade" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "65f17f66772585fd1fd38929", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities", "description": "A financially motivated threat actor called Magnet Goblin quickly adopts and leverages 1-day vulnerabilities in public-facing services to gain initial access, including recent campaigns targeting Ivanti, Magento, and Qlik Sense. Analysis of a Linux variant of NerbianRAT malware used in attacks reveals the group's tactics.", "modified": "2024-04-12T10:00:50.959000", "created": "2024-03-13T10:26:46.138000", "tags": [ "NerbianRAT", "MiniNerbian", "Magnet Goblin", "Ivanti" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 366, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 7, "domain": 8, "hostname": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386881, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fb461800291b6741775dea", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities", "description": "", "modified": "2024-04-12T10:00:50.959000", "created": "2024-03-20T20:24:56.904000", "tags": [ "NerbianRAT", "MiniNerbian", "Magnet Goblin", "Ivanti" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" } ], "industries": [], "TLP": "white", "cloned_from": "65f17f66772585fd1fd38929", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 7, "domain": 8, "hostname": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "781 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ef25e8bf9e270fae148298", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "Check Point Research has identified a new threat actor that leverages 1-day vulnerabilities in public-facing services such as Ivanti Connect Secure VPN and Magento to deploy custom Linux backdoors.", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-11T15:40:24.134000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ef4e1568d2b25a7844748f", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-11T18:31:49.098000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "65ef25e8bf9e270fae148298", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 506, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f2a922146da15f711f3e8c", "name": "Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities - Check Point Research", "description": "", "modified": "2024-04-10T15:00:46.081000", "created": "2024-03-14T07:37:06.888000", "tags": [ "magnet goblin", "nerbianrat", "magento", "linux", "screenconnect", "mininerbian", "c2 server", "ivanti connect", "ivanti", "warpwire", "anydesk", "ligolo", "goblin", "virustotal", "protected", "secure vpn", "ivanti exploitation", "magento exploitation", "minnerbian", "cactus", "windows" ], "references": [ "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/" ], "public": 1, "adversary": "Magnet Goblin", "targeted_countries": [], "malware_families": [ { "id": "Secure VPN", "display_name": "Secure VPN", "target": null }, { "id": "Ivanti Exploitation", "display_name": "Ivanti Exploitation", "target": null }, { "id": "Magento Exploitation", "display_name": "Magento Exploitation", "target": null }, { "id": "MinNerbian", "display_name": "MinNerbian", "target": null }, { "id": "WARPWIRE", "display_name": "WARPWIRE", "target": null }, { "id": "MiniNerbian", "display_name": "MiniNerbian", "target": null }, { "id": "Cactus", "display_name": "Cactus", "target": null }, { "id": "NerbianRAT", "display_name": "NerbianRAT", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "65ef4e1568d2b25a7844748f", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 21, "URL": 22, "domain": 10, "hostname": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dev-clientservice.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dev-clientservice.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780405977.6938446 }