{ "type": "Domain", "indicator": "doc-viewer.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/doc-viewer.com", "alexa": "http://www.alexa.com/siteinfo/doc-viewer.com", "indicator": "doc-viewer.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 208999805, "indicator": "doc-viewer.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 387072, "modified_text": "3101 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-02T00:28:15.681000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 72171, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 887927, "is_author": false, "is_subscribing": null, "subscriber_count": 301, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657204e214864e5fdcf4414e", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations | Microsoft Security Blog", "description": "SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations\u2019 social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association.", "modified": "2023-12-07T17:46:10.800000", "created": "2023-12-07T17:46:10.800000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "email", "august", "april" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM, Star Blizzard", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cnoscsoc@att.com", "id": "81627", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638459c3af866a7242f7ec64", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "", "modified": "2022-11-28T06:48:35.754000", "created": "2022-11-28T06:48:35.754000", "tags": [ "seaborgium", "mstic", "office", "defender", "ukraine", "onedrive", "russia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "63845993c9628da6d921a2de", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63845993c9628da6d921a2de", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.", "modified": "2022-11-28T06:47:47.803000", "created": "2022-11-28T06:47:47.803000", "tags": [ "seaborgium", "mstic", "office", "defender", "ukraine", "onedrive", "russia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6307632073d7c1c406ebc2cb", "name": "Microsoft Warns Phishing Attack Linked To Seaborgium", "description": "The full text of the article below:.. (c) - here is the full set of text-based updates on Facebook, Twitter and other social media sites, as well as the BBC News website.", "modified": "2022-08-25T11:55:12.536000", "created": "2022-08-25T11:55:12.536000", "tags": [], "references": [ "Domains - Microsoft Warns Phishing Attack Linked To Seaborgium.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arulieswaran", "id": "190549", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1377 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "1382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fc9bba90145c7d2c88e87d", "name": "Microsoft disrupts Russian hackers' operation on NATO targets", "description": "The Microsoft Threat Intelligence Center (MSTIC) has disrupted a hacking and social engineering operation linked to a Russian threat actor tracked as SEABORGIUM that targets people and organizations in NATO countries.\n\nMicrosoft says that SEABORGIUM, also known as ColdRiver by Google and TA446 by Proofpoint, primarily target NATO countries but have seen campaigns in the Baltics, Nordics, and Eastern Europe regions, including Ukraine.\n\nBelieved to be a Russian state-sponsored hacking group, the threat actors attempt to steal sensitive emails from organizations and people of interest to Russia", "modified": "2022-08-17T07:41:46.014000", "created": "2022-08-17T07:41:46.014000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "russia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-russian-hackers-operation-on-nato-targets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SEABORGIUM", "display_name": "SEABORGIUM", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Higher Education", "Consulting", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 346, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 437, "modified_text": "1385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fbc93176a5cbd183032e32", "name": "Microsoft warns of Russia-linked phishing attacks", "description": "", "modified": "2022-08-16T16:43:29.621000", "created": "2022-08-16T16:43:29.621000", "tags": [], "references": [ "August 16, 2022 - CryptoGen Cyber Threat Intelligence - Microsoft warns of Russia-linked phishing attacks.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 114 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1386 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fb7ccc4f9f26058ceaaf7a", "name": "SEABORGIUM", "description": "The following is a full list of names and names:.. and the following ones:, for the first time, following the release of the full set of official documents on 1 January 2017.", "modified": "2022-08-16T11:17:32.826000", "created": "2022-08-16T11:17:32.826000", "tags": [], "references": [], "public": 1, "adversary": "SEABORGIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jpatterson", "id": "199384", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1386 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fb385c1b32d48d708be124", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "Microsoft\u2019s security services are being disrupted by a threat actor that originates from Russia, the company has confirmed to the BBC in a report published in the New York Times on Tuesday.", "modified": "2022-08-16T06:25:32.340000", "created": "2022-08-16T06:25:32.340000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "russia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SEABORGIUM", "display_name": "SEABORGIUM", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Higher Education", "Consulting", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1386 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fa83e615532bfa9db335a5", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "Microsoft\u2019s security services are being disrupted by a threat actor that originates from Russia, the company has confirmed to the BBC in a report published in the New York Times on Tuesday.", "modified": "2022-08-15T17:35:34.088000", "created": "2022-08-15T17:35:34.088000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "russia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SEABORGIUM", "display_name": "SEABORGIUM", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Higher Education", "Consulting", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fa72928a6868ec2ce095d7", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "Here is a full list of links that can be accessed via GitHub, the open-access website for software developers, developers and other users, as well as links to other sites on the site.", "modified": "2022-08-15T16:21:38.954000", "created": "2022-08-15T16:21:38.954000", "tags": [ "seaborgium", "github", "jump", "azuresentinel", "sign", "strong", "view", "code issues", "pull", "wiki security", "unicode", "copy", "contact", "star", "defender", "open", "footer", "ipaddress", "domainnames", "dnsname", "computer", "account", "microsoft", "mstic", "office", "iocs", "ukraine", "onedrive", "pdf file", "russia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SEABORGIUMDomainsAugust2022.yaml", "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/SEABORGIUMDomainIOCsAug2022.yaml" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SEABORGIUM", "display_name": "SEABORGIUM", "target": null } ], "attack_ids": [ { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Higher Education", "Consulting", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 166, "modified_text": "1387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61f61a079a22827265d31380", "name": "NewDom-1-20220130", "description": "ICANN-Dom", "modified": "2022-03-16T00:02:55.894000", "created": "2022-01-30T04:54:31.742000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1539 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SEABORGIUMDomainsAugust2022.yaml", "Domains - Microsoft Warns Phishing Attack Linked To Seaborgium.txt", "APT35 pt2.pdf", "APT35 pt3.pdf", "August 16, 2022 - CryptoGen Cyber Threat Intelligence - Microsoft warns of Russia-linked phishing attacks.pdf", "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/SEABORGIUMDomainIOCsAug2022.yaml", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-russian-hackers-operation-on-nato-targets/" ], "related": { "alienvault": { "adversary": [ "Charming Kitten" ], "malware_families": [], "industries": [ "Ngo", "Human rights", "Education", "Media" ] }, "other": { "adversary": [ "SEABORGIUM, Star Blizzard", "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "Rocket Kitten", "SEABORGIUM" ], "malware_families": [ "Seaborgium", "Magichound.retriever", "Downpaper" ], "industries": [ "Government", "Energy", "Higher education", "Media", "Consulting", "Defense", "Journalists", "Technology", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 387072, "modified_text": "3101 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-06-02T00:28:15.681000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 72171, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 887927, "is_author": false, "is_subscribing": null, "subscriber_count": 301, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657204e214864e5fdcf4414e", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations | Microsoft Security Blog", "description": "SEABORGIUM is a highly persistent threat actor, frequently targeting the same organizations over long periods of time. Once successful, it slowly infiltrates targeted organizations\u2019 social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. SEABORGIUM has successfully compromised organizations and people of interest in consistent campaigns for several years, rarely changing methodologies or tactics. Based on known indicators of compromise and actor tactics, SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association.", "modified": "2023-12-07T17:46:10.800000", "created": "2023-12-07T17:46:10.800000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "email", "august", "april" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM, Star Blizzard", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cnoscsoc@att.com", "id": "81627", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "638459c3af866a7242f7ec64", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "", "modified": "2022-11-28T06:48:35.754000", "created": "2022-11-28T06:48:35.754000", "tags": [ "seaborgium", "mstic", "office", "defender", "ukraine", "onedrive", "russia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "63845993c9628da6d921a2de", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63845993c9628da6d921a2de", "name": "Disrupting SEABORGIUM\u2019s ongoing phishing operations - Microsoft Security Blog", "description": "The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations.", "modified": "2022-11-28T06:47:47.803000", "created": "2022-11-28T06:47:47.803000", "tags": [ "seaborgium", "mstic", "office", "defender", "ukraine", "onedrive", "russia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/" ], "public": 1, "adversary": "SEABORGIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6307632073d7c1c406ebc2cb", "name": "Microsoft Warns Phishing Attack Linked To Seaborgium", "description": "The full text of the article below:.. (c) - here is the full set of text-based updates on Facebook, Twitter and other social media sites, as well as the BBC News website.", "modified": "2022-08-25T11:55:12.536000", "created": "2022-08-25T11:55:12.536000", "tags": [], "references": [ "Domains - Microsoft Warns Phishing Attack Linked To Seaborgium.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arulieswaran", "id": "190549", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1377 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "1382 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fc9bba90145c7d2c88e87d", "name": "Microsoft disrupts Russian hackers' operation on NATO targets", "description": "The Microsoft Threat Intelligence Center (MSTIC) has disrupted a hacking and social engineering operation linked to a Russian threat actor tracked as SEABORGIUM that targets people and organizations in NATO countries.\n\nMicrosoft says that SEABORGIUM, also known as ColdRiver by Google and TA446 by Proofpoint, primarily target NATO countries but have seen campaigns in the Baltics, Nordics, and Eastern Europe regions, including Ukraine.\n\nBelieved to be a Russian state-sponsored hacking group, the threat actors attempt to steal sensitive emails from organizations and people of interest to Russia", "modified": "2022-08-17T07:41:46.014000", "created": "2022-08-17T07:41:46.014000", "tags": [ "seaborgium", "microsoft", "mstic", "office", "defender", "iocs", "ukraine", "onedrive", "pdf file", "russia" ], "references": [ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-russian-hackers-operation-on-nato-targets/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SEABORGIUM", "display_name": "SEABORGIUM", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Higher Education", "Consulting", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 346, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 437, "modified_text": "1385 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "doc-viewer.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "doc-viewer.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780432603.6110725 }