{ "type": "Domain", "indicator": "directoryframework.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/directoryframework.top", "alexa": "http://www.alexa.com/siteinfo/directoryframework.top", "indicator": "directoryframework.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4052804207, "indicator": "directoryframework.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6995e8969f9d1c390db3fa4e", "name": "Law Firm Sites Hijacked in Suspected Supply-Chain Attack", "description": "GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.", "modified": "2026-03-20T16:41:27.242000", "created": "2026-02-18T16:28:06.616000", "tags": [ "hz hosting ltd", "fake browser updates", "mivocloud", "law firms", "netsupport rat", "sectoprat", "supply-chain attack", "wordpress", "stealc", "clickfix" ], "references": [ "https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack", "https://www.recordedfuture.com/research/media_187b8e348054a7063fd37aec148dfc3337efc5d14.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "GrayCharlie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 80, "URL": 3, "domain": 208, "hostname": 5 }, "indicator_count": 354, "is_author": false, "is_subscribing": null, "subscriber_count": 377576, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699f7e47f8ab5f972e39239f", "name": "IOC Blocking", "description": "The full list of names and names of people who have signed up to be part of the BBC World Service has been revealed. and here is the full set of images..-. the.", "modified": "2026-03-27T22:22:21.774000", "created": "2026-02-25T22:57:11.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "domain": 174 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699f4b5106d7bf5ddbcf4731", "name": "GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack", "description": "GrayCharlie is a cyber threat actor that has been active since mid-2023, notably engaging in supply-chain attacks by compromising WordPress sites. This actor injects JavaScript into these sites to redirect users to malicious payloads, primarily the NetSupport Remote Access Trojan (RAT), using fake browser update prompts or ClickFix pop-ups as delivery mechanisms. The threat group has been linked with extensive control infrastructure, primarily associated with hosting providers like MivoCloud and HZ Hosting Ltd., which includes command-and-control (C2) servers and staging infrastructures.", "modified": "2026-03-27T19:20:00.039000", "created": "2026-02-25T19:19:45.140000", "tags": [], "references": [ "https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0218.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1592.004", "name": "Client Configurations", "display_name": "T1592.004 - Client Configurations" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Education", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 71, "FileHash-SHA256": 80, "domain": 209, "email": 2, "hostname": 6 }, "indicator_count": 439, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c6800136512489272b3b4", "name": "GrayCharlie Supply-Chain Style WordPress Campaign Delivers NetSupport RAT at Scale", "description": "Top 10 of the most read articles on the BBC's Newsround website this year have been published, with the title of \"best-selling company\" being given to a number of companies and organisations.", "modified": "2026-03-25T14:18:50.662000", "created": "2026-02-23T14:45:20.381000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "domain": 174 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996b7a1109d6eff28d4a4f9", "name": "Law Firm Sites Hijacked in Suspected Supply-Chain Attack", "description": "", "modified": "2026-03-20T16:41:27.242000", "created": "2026-02-19T07:11:29.304000", "tags": [ "hz hosting ltd", "fake browser updates", "mivocloud", "law firms", "netsupport rat", "sectoprat", "supply-chain attack", "wordpress", "stealc", "clickfix" ], "references": [ "https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack", "https://www.recordedfuture.com/research/media_187b8e348054a7063fd37aec148dfc3337efc5d14.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "GrayCharlie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": "6995e8969f9d1c390db3fa4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 80, "URL": 3, "domain": 208, "hostname": 5 }, "indicator_count": 354, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack", "https://www.recordedfuture.com/research/media_187b8e348054a7063fd37aec148dfc3337efc5d14.gif?width=1200&format=pjpg&optimize=medium", "https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0218.pdf" ], "related": { "alienvault": { "adversary": [ "GrayCharlie" ], "malware_families": [ "Sectoprat", "Stealc", "Netsupport rat" ], "industries": [ "Legal" ] }, "other": { "adversary": [ "GrayCharlie" ], "malware_families": [ "Sectoprat", "Stealc", "Netsupport rat" ], "industries": [ "Government", "Entertainment", "Education", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6995e8969f9d1c390db3fa4e", "name": "Law Firm Sites Hijacked in Suspected Supply-Chain Attack", "description": "GrayCharlie, a threat actor active since mid-2023, compromises WordPress sites to inject links redirecting visitors to NetSupport RAT payloads via fake browser updates or ClickFix mechanisms. These infections often lead to Stealc and SectopRAT deployments. The group's infrastructure is primarily linked to MivoCloud and HZ Hosting Ltd. A cluster of US law firm sites was compromised around November 2025, possibly through a supply-chain attack. GrayCharlie uses two main attack chains: one involving fake browser updates and another using ClickFix-style lures. The group's objectives appear to focus on data theft and financial gain, with potential access selling to other threat actors.", "modified": "2026-03-20T16:41:27.242000", "created": "2026-02-18T16:28:06.616000", "tags": [ "hz hosting ltd", "fake browser updates", "mivocloud", "law firms", "netsupport rat", "sectoprat", "supply-chain attack", "wordpress", "stealc", "clickfix" ], "references": [ "https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack", "https://www.recordedfuture.com/research/media_187b8e348054a7063fd37aec148dfc3337efc5d14.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "GrayCharlie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 80, "URL": 3, "domain": 208, "hostname": 5 }, "indicator_count": 354, "is_author": false, "is_subscribing": null, "subscriber_count": 377576, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699f7e47f8ab5f972e39239f", "name": "IOC Blocking", "description": "The full list of names and names of people who have signed up to be part of the BBC World Service has been revealed. and here is the full set of images..-. the.", "modified": "2026-03-27T22:22:21.774000", "created": "2026-02-25T22:57:11.518000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "domain": 174 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699f4b5106d7bf5ddbcf4731", "name": "GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack", "description": "GrayCharlie is a cyber threat actor that has been active since mid-2023, notably engaging in supply-chain attacks by compromising WordPress sites. This actor injects JavaScript into these sites to redirect users to malicious payloads, primarily the NetSupport Remote Access Trojan (RAT), using fake browser update prompts or ClickFix pop-ups as delivery mechanisms. The threat group has been linked with extensive control infrastructure, primarily associated with hosting providers like MivoCloud and HZ Hosting Ltd., which includes command-and-control (C2) servers and staging infrastructures.", "modified": "2026-03-27T19:20:00.039000", "created": "2026-02-25T19:19:45.140000", "tags": [], "references": [ "https://assets.recordedfuture.com/insikt-report-pdfs/2026/cta-2026-0218.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1592.004", "name": "Client Configurations", "display_name": "T1592.004 - Client Configurations" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Education", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 71, "FileHash-SHA256": 80, "domain": 209, "email": 2, "hostname": 6 }, "indicator_count": 439, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c6800136512489272b3b4", "name": "GrayCharlie Supply-Chain Style WordPress Campaign Delivers NetSupport RAT at Scale", "description": "Top 10 of the most read articles on the BBC's Newsround website this year have been published, with the title of \"best-selling company\" being given to a number of companies and organisations.", "modified": "2026-03-25T14:18:50.662000", "created": "2026-02-23T14:45:20.381000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "domain": 174 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996b7a1109d6eff28d4a4f9", "name": "Law Firm Sites Hijacked in Suspected Supply-Chain Attack", "description": "", "modified": "2026-03-20T16:41:27.242000", "created": "2026-02-19T07:11:29.304000", "tags": [ "hz hosting ltd", "fake browser updates", "mivocloud", "law firms", "netsupport rat", "sectoprat", "supply-chain attack", "wordpress", "stealc", "clickfix" ], "references": [ "https://www.recordedfuture.com/research/graycharlie-hijacks-law-firm-sites-suspected-supply-chain-attack", "https://www.recordedfuture.com/research/media_187b8e348054a7063fd37aec148dfc3337efc5d14.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "GrayCharlie", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": "6995e8969f9d1c390db3fa4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 29, "FileHash-SHA256": 80, "URL": 3, "domain": 208, "hostname": 5 }, "indicator_count": 354, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "directoryframework.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "directoryframework.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776643145.7039208 }