{ "type": "Domain", "indicator": "devicelinkintel.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/devicelinkintel.com", "alexa": "http://www.alexa.com/siteinfo/devicelinkintel.com", "indicator": "devicelinkintel.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4377140177, "indicator": "devicelinkintel.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a1447f25db6bc082d5093cb", "name": "RemotePE: The Lazarus RAT that lives in memory", "description": "A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.", "modified": "2026-05-25T15:15:11.630000", "created": "2026-05-25T13:00:34.674000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 8, "URL": 2, "domain": 8, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 386450, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15ad403ba61be50e09d42e", "name": "research indicators tlp: amber", "description": "This post is not a reflection of any companies tagged.", "modified": "2026-05-29T09:50:48.467000", "created": "2026-05-26T14:25:04.421000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 53, "URL": 131, "hostname": 73, "domain": 21, "FileHash-MD5": 17, "FileHash-SHA1": 26, "IPv4": 1 }, "indicator_count": 322, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15279470f40ea28e34fa55", "name": "RemotePE: The Lazarus RAT that lives in memory", "description": "", "modified": "2026-05-26T04:54:44.854000", "created": "2026-05-26T04:54:44.854000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a1447f25db6bc082d5093cb", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 8, "URL": 2, "domain": 8, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a151218eba755efd0f0b4a9", "name": "IOC - RemotePE: The Lazarus RAT that lives in memory", "description": "", "modified": "2026-05-26T03:23:33.245000", "created": "2026-05-26T03:23:04.561000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a1447f25db6bc082d5093cb", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "domain": 8, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/", "IOCs-MAY4.csv" ], "related": { "alienvault": { "adversary": [ "Lazarus" ], "malware_families": [ "Dpapiloader", "Themeforestrat", "Remotepe", "Pondrat", "Remotepeloader", "Poolrat" ], "industries": [ "Finance" ] }, "other": { "adversary": [ "Lazarus", "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT" ], "malware_families": [ "Dpapiloader", "Themeforestrat", "Remotepe", "Pondrat", "Remotepeloader", "Poolrat" ], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a1447f25db6bc082d5093cb", "name": "RemotePE: The Lazarus RAT that lives in memory", "description": "A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.", "modified": "2026-05-25T15:15:11.630000", "created": "2026-05-25T13:00:34.674000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 8, "URL": 2, "domain": 8, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 386450, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15ad403ba61be50e09d42e", "name": "research indicators tlp: amber", "description": "This post is not a reflection of any companies tagged.", "modified": "2026-05-29T09:50:48.467000", "created": "2026-05-26T14:25:04.421000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 53, "URL": 131, "hostname": 73, "domain": 21, "FileHash-MD5": 17, "FileHash-SHA1": 26, "IPv4": 1 }, "indicator_count": 322, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15279470f40ea28e34fa55", "name": "RemotePE: The Lazarus RAT that lives in memory", "description": "", "modified": "2026-05-26T04:54:44.854000", "created": "2026-05-26T04:54:44.854000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a1447f25db6bc082d5093cb", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 8, "URL": 2, "domain": 8, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a151218eba755efd0f0b4a9", "name": "IOC - RemotePE: The Lazarus RAT that lives in memory", "description": "", "modified": "2026-05-26T03:23:33.245000", "created": "2026-05-26T03:23:04.561000", "tags": [ "poolrat", "pondrat", "dpapiloader", "themeforestrat", "hellsgate", "remotepeloader", "remotepe" ], "references": [ "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "DPAPILoader", "display_name": "DPAPILoader", "target": null }, { "id": "RemotePELoader", "display_name": "RemotePELoader", "target": null }, { "id": "RemotePE", "display_name": "RemotePE", "target": null }, { "id": "ThemeForestRAT", "display_name": "ThemeForestRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a1447f25db6bc082d5093cb", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "domain": 8, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "devicelinkintel.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "devicelinkintel.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173564.3968754 }