{ "type": "Domain", "indicator": "digitalcodecrafters.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/digitalcodecrafters.com", "alexa": "http://www.alexa.com/siteinfo/digitalcodecrafters.com", "indicator": "digitalcodecrafters.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3803086373, "indicator": "digitalcodecrafters.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ba6da74dd2860d7d7724be", "name": "Analysis of FalseFont Backdoor used by Peach-Sandstorm Threat Actor - Nextron Systems", "description": "The FalseFont Backdoor was used by Peach Sandstorm APT to steal personal data from US Defense and Intelligence Contractors, as well as other cyber-espionage targets, which were targeted worldwide. In this article, we will explore the FalseFont Backdoor used by Peach Sandstorm APT to target defense contractors worldwide. The backdoor was initially identified and reported on by Microsoft. The malware features data exfiltration and remote access capabilities. It poses as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies, and provides the user with a realistic UI and behavior.", "modified": "2024-03-01T15:04:50.870000", "created": "2024-01-31T15:56:23.797000", "tags": [ "command handler", "nextron", "yara", "maxar", "background task", "aurora", "sigma", "thor", "hosts", "persistence", "config", "restart", "loki", "spark", "falsefont", "detects falsefont", "peach sandstorm" ], "references": [ "https://www.nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null }, { "id": "Detects FalseFont", "display_name": "Detects FalseFont", "target": null }, { "id": "Peach Sandstorm", "display_name": "Peach Sandstorm", "target": null } ], "attack_ids": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "YARA": 1, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658c2986225e23bf1b410576", "name": "Iranian Hackers Developed a New Backdoor to Hack Windows", "description": "An Iranian nation-state actor has developed a new backdoor that enables hackers to hack Microsoft\u2019s Windows operating system, and the security researchers at Microsoft Threat Intelligence team are hunting for the group.", "modified": "2023-12-27T13:41:25.984000", "created": "2023-12-27T13:41:25.984000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "888 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6589396652229cd39a4a6c3e", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "", "modified": "2023-12-25T08:12:22.846000", "created": "2023-12-25T08:12:22.846000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop", "APT33" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/", "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "Peach Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null } ], "attack_ids": [], "industries": [ "Aviation", "Defense Industrial Base" ], "TLP": "white", "cloned_from": "6589382fccaba7e1972a7f12", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6589382fccaba7e1972a7f12", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "", "modified": "2023-12-25T08:11:58.988000", "created": "2023-12-25T08:07:11.482000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop", "APT33" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/", "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "Peach Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null } ], "attack_ids": [], "industries": [ "Aviation", "Defense Industrial Base" ], "TLP": "white", "cloned_from": "6588ba75839e5068a0927a35", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658583c0b89c9011ef82a51a", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.\n\nThe findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.", "modified": "2023-12-22T12:40:32.238000", "created": "2023-12-22T12:40:32.238000", "tags": [], "references": [ "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "893 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html", "https://www.nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Peach Sandstorm" ], "malware_families": [ "Detects falsefont", "Peach sandstorm", "Falsefont" ], "industries": [ "Aviation", "Defense industrial base" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ba6da74dd2860d7d7724be", "name": "Analysis of FalseFont Backdoor used by Peach-Sandstorm Threat Actor - Nextron Systems", "description": "The FalseFont Backdoor was used by Peach Sandstorm APT to steal personal data from US Defense and Intelligence Contractors, as well as other cyber-espionage targets, which were targeted worldwide. In this article, we will explore the FalseFont Backdoor used by Peach Sandstorm APT to target defense contractors worldwide. The backdoor was initially identified and reported on by Microsoft. The malware features data exfiltration and remote access capabilities. It poses as a legitimate application from US Defense and Intelligence Contractor Maxar Technologies, and provides the user with a realistic UI and behavior.", "modified": "2024-03-01T15:04:50.870000", "created": "2024-01-31T15:56:23.797000", "tags": [ "command handler", "nextron", "yara", "maxar", "background task", "aurora", "sigma", "thor", "hosts", "persistence", "config", "restart", "loki", "spark", "falsefont", "detects falsefont", "peach sandstorm" ], "references": [ "https://www.nextron-systems.com/2024/01/29/analysis-of-falsefont-backdoor-used-by-peach-sandstorm-threat-actor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null }, { "id": "Detects FalseFont", "display_name": "Detects FalseFont", "target": null }, { "id": "Peach Sandstorm", "display_name": "Peach Sandstorm", "target": null } ], "attack_ids": [ { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "YARA": 1, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658c2986225e23bf1b410576", "name": "Iranian Hackers Developed a New Backdoor to Hack Windows", "description": "An Iranian nation-state actor has developed a new backdoor that enables hackers to hack Microsoft\u2019s Windows operating system, and the security researchers at Microsoft Threat Intelligence team are hunting for the group.", "modified": "2023-12-27T13:41:25.984000", "created": "2023-12-27T13:41:25.984000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "888 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6589396652229cd39a4a6c3e", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "", "modified": "2023-12-25T08:12:22.846000", "created": "2023-12-25T08:12:22.846000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop", "APT33" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/", "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "Peach Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null } ], "attack_ids": [], "industries": [ "Aviation", "Defense Industrial Base" ], "TLP": "white", "cloned_from": "6589382fccaba7e1972a7f12", "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6589382fccaba7e1972a7f12", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "", "modified": "2023-12-25T08:11:58.988000", "created": "2023-12-25T08:07:11.482000", "tags": [ "peach sandstorm", "falsefont", "microsoft", "microsoft entra", "ad fs", "practice", "entra id", "hackers group", "apt33 elfin", "kitten", "benchmark", "desktop", "APT33" ], "references": [ "https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/", "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "Peach Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "FalseFont", "display_name": "FalseFont", "target": null } ], "attack_ids": [], "industries": [ "Aviation", "Defense Industrial Base" ], "TLP": "white", "cloned_from": "6588ba75839e5068a0927a35", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658583c0b89c9011ef82a51a", "name": "Microsoft Warns of New 'FalseFont' Backdoor Targeting the Defense Sector", "description": "Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont.\n\nThe findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten.", "modified": "2023-12-22T12:40:32.238000", "created": "2023-12-22T12:40:32.238000", "tags": [], "references": [ "https://twitter.com/MsftSecIntel/status/1737895710169628824", "https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "893 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "digitalcodecrafters.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "digitalcodecrafters.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780414454.1204464 }