{ "type": "Domain", "indicator": "display-error-runtime.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/display-error-runtime.com", "alexa": "http://www.alexa.com/siteinfo/display-error-runtime.com", "indicator": "display-error-runtime.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 208999803, "indicator": "display-error-runtime.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386620, "modified_text": "3098 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "APT35 pt2.pdf", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "APT35 pt3.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "related": { "alienvault": { "adversary": [ "Charming Kitten" ], "malware_families": [], "industries": [ "Media", "Education", "Ngo", "Human rights" ] }, "other": { "adversary": [ "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "Rocket Kitten", "Ajax Security Team" ], "malware_families": [ "Hoffman", "Rocket kitten", "Magichound.retriever", "Tspy_woolerg.a.", "Detected gholee", "Bkdr_ghole.b.", "Downpaper", "Flying kitten", "Ghole", "Ishak" ], "industries": [ "Government", "Aerospace", "Journalists", "Defense", "Industrial", "Media", "Technology", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386620, "modified_text": "3098 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "display-error-runtime.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "display-error-runtime.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780224097.6105292 }