{ "type": "Domain", "indicator": "dnsmicrosoftds-data.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dnsmicrosoftds-data.com", "alexa": "http://www.alexa.com/siteinfo/dnsmicrosoftds-data.com", "indicator": "dnsmicrosoftds-data.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4122320643, "indicator": "dnsmicrosoftds-data.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68a6827e930a07d2130dda50", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-21T02:20:46.919000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 387200, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a88f34df18eac798d7d7a0", "name": "IOC Blocking", "description": "", "modified": "2025-09-21T15:02:34.424000", "created": "2025-08-22T15:39:32.863000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a73f1fbbbe876f3d23e66d", "name": "aaaaaaaaaa", "description": "", "modified": "2025-09-20T15:02:39.474000", "created": "2025-08-21T15:45:35.683000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7327f59533ce3e8486247", "name": "aaaaaaaaaaaaa", "description": "", "modified": "2025-09-20T14:02:46.959000", "created": "2025-08-21T14:51:43.807000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7e3908cb4884ad6efbd67", "name": "TTP - A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "\u672c\u62a5\u544a\u63ed\u793a\u4e86 CORNFLAKE.V3 \u540e\u95e8 \u7684\u6280\u672f\u7ec6\u8282\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u7531 UNC5774\uff08\u8d22\u52a1\u52a8\u673a\u578b\u56e2\u4f19\uff09 \u4f7f\u7528\uff0c\u5e76\u901a\u8fc7 UNC5518 \u7684 ClickFix \u653b\u51fb\u670d\u52a1 \u83b7\u5f97\u521d\u59cb\u8bbf\u95ee\u6743\u9650\u3002\u4e0d\u540c\u4e8e\u4e4b\u524d\u7684 V1 (C \u8bed\u8a00\u4e0b\u8f7d\u5668) \u548c V2 (JS \u4e0b\u8f7d\u5668)\uff0cV3 \u5df2\u8fdb\u5316\u4e3a JS/PHP \u7f16\u5199\u7684\u5b8c\u6574\u540e\u95e8\uff0c\u652f\u6301\u6301\u4e45\u5316\u3001\u7cfb\u7edf\u4fa6\u5bdf\u3001\u51ed\u8bc1\u7a83\u53d6\u53ca\u6a2a\u5411\u79fb\u52a8\u3002\u5176 C2 \u901a\u8baf\u901a\u8fc7 HTTP + XOR \u7f16\u7801\uff0c\u5e76\u5229\u7528 Cloudflare Tunnel \u9690\u533f\u6d41\u91cf\u3002\u62a5\u544a\u540c\u65f6\u63ed\u793a\u5176 Node.js \u4e0e PHP \u53cc\u7248\u672c\u5b9e\u73b0\uff0c\u663e\u793a\u51fa\u6301\u7eed\u8fed\u4ee3\u548c\u89c4\u907f\u68c0\u6d4b\u7684\u8d8b\u52bf\u3002", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-22T03:27:12.781000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68a6827e930a07d2130dda50", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6438f99b44336ec1eda95", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor.", "description": "The CORNFLAKE.V3 backdoor, part of a campaign associated with the threat groups UNC5518 and UNC5774, has been under investigation by Mandiant Threat Defense since mid-2024. UNC5518 predominantly exploits legitimate websites by serving fake CAPTCHA verification pages to distribute a downloader script, initiating a malware infection chain. This financial-driven group often collaborates with other actors who utilize the access gained for further malicious deployments.", "modified": "2025-09-19T21:00:18.229000", "created": "2025-08-20T21:52:15.188000", "tags": [ "unc5518", "mandiant threat", "defense", "unc5774", "mandiant", "http", "series straight", "june", "powershell", "voltmarker", "netsupport", "php", "cornflake.v3 php", "javascript", "node.js", "windytwist.sea", "java windytwist", "cornflake", "cornflake.v3" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "CORNFLAKE.V3 PHP", "display_name": "CORNFLAKE.V3 PHP", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "Node.js", "display_name": "Node.js", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null }, { "id": "Java WINDYTWIST", "display_name": "Java WINDYTWIST", "target": null }, { "id": "CORNFLAKE", "display_name": "CORNFLAKE", "target": null }, { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/", "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix", "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "related": { "alienvault": { "adversary": [ "UNC5518 and UNC5774" ], "malware_families": [ "Cornflake.v3", "Windytwist.sea" ], "industries": [] }, "other": { "adversary": [ "UNC5518 and UNC5774" ], "malware_families": [ "Base64", "Php", "Node.js", "Cornflake", "Cornflake.v3 php", "Java windytwist", "Netsupport", "Javascript", "Socghoulish", "Kongtuke", "Filefix", "Cornflake.v3", "Windytwist.sea" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68a6827e930a07d2130dda50", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-21T02:20:46.919000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 387200, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a88f34df18eac798d7d7a0", "name": "IOC Blocking", "description": "", "modified": "2025-09-21T15:02:34.424000", "created": "2025-08-22T15:39:32.863000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a73f1fbbbe876f3d23e66d", "name": "aaaaaaaaaa", "description": "", "modified": "2025-09-20T15:02:39.474000", "created": "2025-08-21T15:45:35.683000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7327f59533ce3e8486247", "name": "aaaaaaaaaaaaa", "description": "", "modified": "2025-09-20T14:02:46.959000", "created": "2025-08-21T14:51:43.807000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7e3908cb4884ad6efbd67", "name": "TTP - A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor", "description": "\u672c\u62a5\u544a\u63ed\u793a\u4e86 CORNFLAKE.V3 \u540e\u95e8 \u7684\u6280\u672f\u7ec6\u8282\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u7531 UNC5774\uff08\u8d22\u52a1\u52a8\u673a\u578b\u56e2\u4f19\uff09 \u4f7f\u7528\uff0c\u5e76\u901a\u8fc7 UNC5518 \u7684 ClickFix \u653b\u51fb\u670d\u52a1 \u83b7\u5f97\u521d\u59cb\u8bbf\u95ee\u6743\u9650\u3002\u4e0d\u540c\u4e8e\u4e4b\u524d\u7684 V1 (C \u8bed\u8a00\u4e0b\u8f7d\u5668) \u548c V2 (JS \u4e0b\u8f7d\u5668)\uff0cV3 \u5df2\u8fdb\u5316\u4e3a JS/PHP \u7f16\u5199\u7684\u5b8c\u6574\u540e\u95e8\uff0c\u652f\u6301\u6301\u4e45\u5316\u3001\u7cfb\u7edf\u4fa6\u5bdf\u3001\u51ed\u8bc1\u7a83\u53d6\u53ca\u6a2a\u5411\u79fb\u52a8\u3002\u5176 C2 \u901a\u8baf\u901a\u8fc7 HTTP + XOR \u7f16\u7801\uff0c\u5e76\u5229\u7528 Cloudflare Tunnel \u9690\u533f\u6d41\u91cf\u3002\u62a5\u544a\u540c\u65f6\u63ed\u793a\u5176 Node.js \u4e0e PHP \u53cc\u7248\u672c\u5b9e\u73b0\uff0c\u663e\u793a\u51fa\u6301\u7eed\u8fed\u4ee3\u548c\u89c4\u907f\u68c0\u6d4b\u7684\u8d8b\u52bf\u3002", "modified": "2025-09-20T02:05:13.847000", "created": "2025-08-22T03:27:12.781000", "tags": [ "cornflake.v3", "windytwist.sea", "node.js", "clickfix", "backdoor", "kerberoasting", "php" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor" ], "public": 1, "adversary": "UNC5518 and UNC5774", "targeted_countries": [], "malware_families": [ { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "68a6827e930a07d2130dda50", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6438f99b44336ec1eda95", "name": "A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor.", "description": "The CORNFLAKE.V3 backdoor, part of a campaign associated with the threat groups UNC5518 and UNC5774, has been under investigation by Mandiant Threat Defense since mid-2024. UNC5518 predominantly exploits legitimate websites by serving fake CAPTCHA verification pages to distribute a downloader script, initiating a malware infection chain. This financial-driven group often collaborates with other actors who utilize the access gained for further malicious deployments.", "modified": "2025-09-19T21:00:18.229000", "created": "2025-08-20T21:52:15.188000", "tags": [ "unc5518", "mandiant threat", "defense", "unc5774", "mandiant", "http", "series straight", "june", "powershell", "voltmarker", "netsupport", "php", "cornflake.v3 php", "javascript", "node.js", "windytwist.sea", "java windytwist", "cornflake", "cornflake.v3" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "CORNFLAKE.V3 PHP", "display_name": "CORNFLAKE.V3 PHP", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "Node.js", "display_name": "Node.js", "target": null }, { "id": "WINDYTWIST.SEA", "display_name": "WINDYTWIST.SEA", "target": null }, { "id": "Java WINDYTWIST", "display_name": "Java WINDYTWIST", "target": null }, { "id": "CORNFLAKE", "display_name": "CORNFLAKE", "target": null }, { "id": "CORNFLAKE.V3", "display_name": "CORNFLAKE.V3", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 7, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "dnsmicrosoftds-data.com", "stats": { "malicious": 0, "suspicious": 0, "harmless": 57, "undetected": 34, "total": 91, "verdict": "clean", "ratio": "0/91" }, "verdict": "clean", "ratio": "0/91", "registrar": "", "creation_date": 1749600000, "reputation": -11, "tags": [], "categories": {}, "top_detections": [], "last_analysis": 1780300889, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "dnsmicrosoftds-data.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780531228.0480692 }