{ "type": "Domain", "indicator": "devsecurityservices.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/devsecurityservices.com", "alexa": "http://www.alexa.com/siteinfo/devsecurityservices.com", "indicator": "devsecurityservices.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3636414938, "indicator": "devsecurityservices.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890a840ec25470253f81c40", "name": "asdffg", "description": "", "modified": "2025-09-03T12:05:03.081000", "created": "2025-08-04T12:32:00.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 7, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a09af58f85f39cb9fdd0", "name": "Threatview.io C2 Hunt Feed", "description": "Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:03:54.265000", "tags": [ "hunter", "pm utc", "am utc", "september", "august", "february", "january", "june", "april", "october", "media", "date", "comment" ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 543, "hostname": 120 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f10d20e92995ab6bf9ca9", "name": "Cobalt Strike Servers & C2 | 03/06/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 03/06/2023.", "modified": "2023-04-12T00:01:36.873000", "created": "2023-03-13T12:02:26.363000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "640f10dc46136baabbef5f74", "name": "Cobalt Strike C2 | 03/06/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 03/06/2023.", "modified": "2023-04-12T00:01:36.873000", "created": "2023-03-13T12:02:36.653000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6405d677a5b545c271b3f34a", "name": "Cobalt Strike Servers & C2 | 02/27/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 02/27/2023.", "modified": "2023-04-05T00:03:03.287000", "created": "2023-03-06T12:02:57.913000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6405d688d1ca2f14a821da3b", "name": "Cobalt Strike C2 | 02/27/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 02/27/2023.", "modified": "2023-04-05T00:03:03.287000", "created": "2023-03-06T12:03:20.759000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63fd484a7c454964e0eb11d3", "name": "InQuest - 27-02-2023", "description": "", "modified": "2023-03-30T00:03:47.607000", "created": "2023-02-28T00:18:18.460000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 856, "URL": 1517, "FileHash-SHA256": 275, "hostname": 417, "FileHash-SHA1": 6, "FileHash-MD5": 8 }, "indicator_count": 3079, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63fbf86c6a7bfd41ad45f008", "name": "InQuest - 26-02-2023", "description": "", "modified": "2023-03-29T00:03:42.396000", "created": "2023-02-27T00:25:16.141000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 915, "URL": 1527, "FileHash-SHA256": 257, "hostname": 369, "FileHash-MD5": 9, "FileHash-SHA1": 6 }, "indicator_count": 3083, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63faa5406c6cef7b1aa82af2", "name": "InQuest - 25-02-2023", "description": "", "modified": "2023-03-28T00:02:26.001000", "created": "2023-02-26T00:18:08.259000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 830, "URL": 1446, "hostname": 341, "FileHash-SHA1": 8, "FileHash-MD5": 12 }, "indicator_count": 2908, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f951cb40a1b7d5d6d82b89", "name": "InQuest - 24-02-2023", "description": "", "modified": "2023-03-27T00:06:00.878000", "created": "2023-02-25T00:09:47.790000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "domain": 1114, "URL": 1660, "FileHash-SHA256": 207, "hostname": 335, "FileHash-MD5": 25 }, "indicator_count": 3345, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt", "https://labs.inquest.net/iocdb", "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "ShadowSyndicate" ], "malware_families": [ "", "Cobalt strike - s0154" ], "industries": [ "Finance", "Logistic", "Healthcare", "Government", "Entertaiment", "Telecommunications", "Petroleum", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890a840ec25470253f81c40", "name": "asdffg", "description": "", "modified": "2025-09-03T12:05:03.081000", "created": "2025-08-04T12:32:00.029000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 7, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a09af58f85f39cb9fdd0", "name": "Threatview.io C2 Hunt Feed", "description": "Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:03:54.265000", "tags": [ "hunter", "pm utc", "am utc", "september", "august", "february", "january", "june", "april", "october", "media", "date", "comment" ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 543, "hostname": 120 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640f10d20e92995ab6bf9ca9", "name": "Cobalt Strike Servers & C2 | 03/06/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 03/06/2023.", "modified": "2023-04-12T00:01:36.873000", "created": "2023-03-13T12:02:26.363000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "640f10dc46136baabbef5f74", "name": "Cobalt Strike C2 | 03/06/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 03/06/2023.", "modified": "2023-04-12T00:01:36.873000", "created": "2023-03-13T12:02:36.653000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6405d677a5b545c271b3f34a", "name": "Cobalt Strike Servers & C2 | 02/27/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 02/27/2023.", "modified": "2023-04-05T00:03:03.287000", "created": "2023-03-06T12:02:57.913000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6405d688d1ca2f14a821da3b", "name": "Cobalt Strike C2 | 02/27/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 02/27/2023.", "modified": "2023-04-05T00:03:03.287000", "created": "2023-03-06T12:03:20.759000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "devsecurityservices.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "devsecurityservices.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780309004.219356 }