{ "type": "Domain", "indicator": "docuinshare.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/docuinshare.top", "alexa": "http://www.alexa.com/siteinfo/docuinshare.top", "indicator": "docuinshare.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4026183182, "indicator": "docuinshare.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "678a8ce9b82a67a056a959df", "name": "Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service", "description": "A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various obfuscation techniques. The phishing pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 phishing kit codebase. Sneaky Log's operations include selling tools like the AiTM phishing kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction obfuscation mechanisms.", "modified": "2025-02-16T00:01:21.376000", "created": "2025-01-17T17:01:28.415000", "tags": [ "AiTM", "phishing", "Telegram", "cryptocurrency", "obfuscation" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "Sneaky Log", "targeted_countries": [], "malware_families": [ { "id": "Sneaky 2FA", "display_name": "Sneaky 2FA", "target": null } ], "attack_ids": [ { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a173cde3fe086aff7ea9710", "name": "Sneaky2FA", "description": "Sneaky2FA is an adversary-in-the-middle (AiTM) phishing-as-a-service (PhaaS) kit targeting Microsoft 365 accounts, first detailed by Sekoia in January 2025 and active since at least October 2024. Operated by the \"Sneaky Log\" group and sold via a Telegram bot for around $200/month, it proxies authentication in real time to steal credentials and session cookies, bypassing MFA. Pages are typically hosted on compromised WordPress sites, pre-populate the victim's email, and use blurred Microsoft screenshots as backgrounds. Evasion includes Cloudflare Turnstile, CAPTCHA, IP filtering, and redirects of sandbox/analyst traffic to benign sites, plus heavy code obfuscation and rapid domain rotation. As of November 2025, the kit added Browser-in-the-Browser (BitB) pop-ups that spoof the Microsoft login window and address bar.", "modified": "2026-05-27T19:23:31.701000", "created": "2026-05-27T18:50:02.634000", "tags": [ "Phishing", "phaas", "aitm", "mfa-bypass", "microsoft", "microsoft365", "sneaky2fa", "sneakylog", "session-hijacking", "credential-stealing", "credential=theft" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "Sneaky Log", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null }, { "id": "Sneaky 2FA", "display_name": "Sneaky 2FA", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550.004", "name": "Web Session Cookie", "display_name": "T1550.004 - Web Session Cookie" }, { "id": "T1606.001", "name": "Web Cookies", "display_name": "T1606.001 - Web Cookies" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" } ], "industries": [ "Financial Services", "Technology", "Healthcare", "Government", "Education", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KorporateKevin", "id": "318270", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "hostname": 8 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6791f5136a8399b3e559c850", "name": "Tycoon 2FA Phishing", "description": "Ref:\nhttps://www.sekoia.io/en/glossary/tycoon-2fa-phishing/\nSources:\nhttps://x.com/RacWatchin8872/status/1882142052684824769\nhttps://github.com/MikhailKasimov/validin-phish-feed/blob/ee830104e1537e56c8aa6ff126daf82ade2f6189/validin-phish-feed-1.txt", "modified": "2025-02-22T07:01:59.374000", "created": "2025-01-23T07:51:47.175000", "tags": [ "Tycoon", "Phishing", "2FA", "PhaaS" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MartinHa", "id": "262566", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11127, "hostname": 3610, "URL": 2 }, "indicator_count": 14739, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678c077fa0e21615b2fc3087", "name": "Sneaky 2FA Phishing Kit Targeting Microsoft 365 Accounts", "description": "Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and two-factor authentication (2FA) codes. French cybersecurity firm Sekoia identified the kit, active since October 2024, and discovered nearly 100 domains hosting related phishing pages.\n\nThe phishing kit includes references to W3LL Store, a known phishing syndicate behind the W3LL Panel, raising suspicions that Sneaky 2FA is based on similar technology. Some domains linked to Sneaky 2FA were previously tied to older AitM kits like Evilginx2 and Greatness, indicating a shift among cybercriminals to the newer service.\n\nCampaigns leveraging Sneaky 2FA use QR codes embedded in fake payment receipt emails to lure victims. These codes redirect users to phishing pages to harvest credentials and bypass 2FA protections.", "modified": "2025-02-17T19:00:21.114000", "created": "2025-01-18T19:56:47.092000", "tags": [ "sneaky", "sneaky log", "microsoft", "december", "telegram", "aitm", "w3ll ov6", "sekoia", "html code", "khtml", "example", "win64", "june", "mamba", "antibot", "verify", "virustotal", "sharepoint", "tycoon", "bitcoin", "tron", "ov6", "plugx" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OV6", "display_name": "OV6", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 2, "domain": 89, "hostname": 9 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678b3b0383ee2395a9895a53", "name": "CTIA Update File : January 18th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #6175 - AitM Phishing Kit \u201cSneaky 2FA\u201d Targets Microsoft 365 Credentials", "description": "", "modified": "2025-02-17T05:00:31.502000", "created": "2025-01-18T05:24:19.600000", "tags": [ "classification", "confidential", "domains", "cyber", "threat", "january", "time", "crypto cyber", "defence" ], "references": [ "https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 6 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "The New Ransomware Menace Vgod Gains Momentum", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "MintsLoader_Stealc", "WezRat Malware", "From Stealers to Ransomware PureCrypter Delivers It All", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "Bitter APT", "Stealers on the Rise", "Rspack_Compromised_Packages", "RustyStealer and New Ymir Ransomware", "Ransomware-Lockbit3-IOCs.csv", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "MirrorFace Campain", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "Visual Studio Code Remote tunnels", "LegionLoader Malware Expands Global Reach", "https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html", "Espionage Campaign Targeting South Asian Entities", "Remcos RAT", "romcom-exploits-firefox-and-windows", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "MEKOTIO BANKING TROJAN", "PUMAKIT", "GamaCopy APT Group Mimicking GamaRedon", "Helldown Ransomware", "Rockstar-Phishing", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "NEW.txt", "SpyGlace", "DarkGate", "APT36", "babbleloader", "Gh0stGambit", "Shadowroot Ransomware", "Avast-Anti-Root-KIt", "clickfix-tactic", "PXA Stealer", "SmokeLoader", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "Phobos ransomware", "PyPI-AIOCPA", "ACR Stealer", "BugSleep Malware", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "AsyncRAT Reloaded", "NOOPDOOR Malware", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Snake Keylogger", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "SteelFox Trojan", "Bumblebee Malware", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "FatalRAT", "Threat Surge as Lumma Stealer Expands Its Reach", "MUT-1244-GitHub", "Salt Typhoon Target U.S. Telecom Networks", "BellaCpp", "Glove-Stealer", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "UAC-0185 attacks warned by CERT-UA", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "solana-backdoor", "Hundreds of fake Reddit sites push Lumma Stealer malware", "U.S. Organization in China Targeted by Attackers", "Winos4.0 RAT", "CloudScout_ Evasive Panda scouting cloud services", "NetSupport RAT and BurnsRAT", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "HawkEye Malware", "HotPage.exe (malware)", "Qilin Ransomware", "Silent Skimmer Gets Loud (Again)", "OtterCookie used by Contagious Interview", "Advanced Evasion Techniques Used by NonEuclid RAT", "Christmas-Themed LNK Files Used for Malware Delivery", "horns-hooves", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "Python NodeStealer", "bootkitty(logofail)", "Fake Discount Sites Exploit Black Friday", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "BrazenBamboo", "Demodex rootkit", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "LockBit Ransomware Attack Leveraging Cobalt Strike", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "APT-K-47", "Akira Ransomware", "Cloud Atlas seen using a new tool in its attacks", "MALLOX RANSOMWARE", "The Return of PlugX Malware with Fresh Tricks", "Bootkitty", "Weaponized Software Targeting Chinese Organizations", "SecTopRAT", "TAG-100", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "RansomHub Affiliate leverages Python-based backdoor", "Microsoft Advertisers Phished via Malicious Google Ads", "Sock5Systemz-PROXY-AM", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "WolfsBane Backdoor", "play ransomware", "ELDORADO RANSOMWARE", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "Fake game sites lead to information stealers" ], "related": { "alienvault": { "adversary": [ "Sneaky Log" ], "malware_families": [ "Sneaky 2fa" ], "industries": [] }, "other": { "adversary": [ "Sneaky 2FA", "Sneaky Log" ], "malware_families": [ "Sneaky2fa", "Invisibleferret", "Plugx", "Ov6", "Trojanspy", "Vant", "Msi", "Sneaky 2fa", "Mekotio banking" ], "industries": [ "Education", "Financial services", "Manufacturing", "Healthcare", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "678a8ce9b82a67a056a959df", "name": "Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service", "description": "A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various obfuscation techniques. The phishing pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 phishing kit codebase. Sneaky Log's operations include selling tools like the AiTM phishing kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction obfuscation mechanisms.", "modified": "2025-02-16T00:01:21.376000", "created": "2025-01-17T17:01:28.415000", "tags": [ "AiTM", "phishing", "Telegram", "cryptocurrency", "obfuscation" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "Sneaky Log", "targeted_countries": [], "malware_families": [ { "id": "Sneaky 2FA", "display_name": "Sneaky 2FA", "target": null } ], "attack_ids": [ { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 23, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a173cde3fe086aff7ea9710", "name": "Sneaky2FA", "description": "Sneaky2FA is an adversary-in-the-middle (AiTM) phishing-as-a-service (PhaaS) kit targeting Microsoft 365 accounts, first detailed by Sekoia in January 2025 and active since at least October 2024. Operated by the \"Sneaky Log\" group and sold via a Telegram bot for around $200/month, it proxies authentication in real time to steal credentials and session cookies, bypassing MFA. Pages are typically hosted on compromised WordPress sites, pre-populate the victim's email, and use blurred Microsoft screenshots as backgrounds. Evasion includes Cloudflare Turnstile, CAPTCHA, IP filtering, and redirects of sandbox/analyst traffic to benign sites, plus heavy code obfuscation and rapid domain rotation. As of November 2025, the kit added Browser-in-the-Browser (BitB) pop-ups that spoof the Microsoft login window and address bar.", "modified": "2026-05-27T19:23:31.701000", "created": "2026-05-27T18:50:02.634000", "tags": [ "Phishing", "phaas", "aitm", "mfa-bypass", "microsoft", "microsoft365", "sneaky2fa", "sneakylog", "session-hijacking", "credential-stealing", "credential=theft" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "Sneaky Log", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null }, { "id": "Sneaky 2FA", "display_name": "Sneaky 2FA", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550.004", "name": "Web Session Cookie", "display_name": "T1550.004 - Web Session Cookie" }, { "id": "T1606.001", "name": "Web Cookies", "display_name": "T1606.001 - Web Cookies" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" } ], "industries": [ "Financial Services", "Technology", "Healthcare", "Government", "Education", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KorporateKevin", "id": "318270", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 107, "hostname": 8 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6791f5136a8399b3e559c850", "name": "Tycoon 2FA Phishing", "description": "Ref:\nhttps://www.sekoia.io/en/glossary/tycoon-2fa-phishing/\nSources:\nhttps://x.com/RacWatchin8872/status/1882142052684824769\nhttps://github.com/MikhailKasimov/validin-phish-feed/blob/ee830104e1537e56c8aa6ff126daf82ade2f6189/validin-phish-feed-1.txt", "modified": "2025-02-22T07:01:59.374000", "created": "2025-01-23T07:51:47.175000", "tags": [ "Tycoon", "Phishing", "2FA", "PhaaS" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MartinHa", "id": "262566", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11127, "hostname": 3610, "URL": 2 }, "indicator_count": 14739, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "462 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678c077fa0e21615b2fc3087", "name": "Sneaky 2FA Phishing Kit Targeting Microsoft 365 Accounts", "description": "Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and two-factor authentication (2FA) codes. French cybersecurity firm Sekoia identified the kit, active since October 2024, and discovered nearly 100 domains hosting related phishing pages.\n\nThe phishing kit includes references to W3LL Store, a known phishing syndicate behind the W3LL Panel, raising suspicions that Sneaky 2FA is based on similar technology. Some domains linked to Sneaky 2FA were previously tied to older AitM kits like Evilginx2 and Greatness, indicating a shift among cybercriminals to the newer service.\n\nCampaigns leveraging Sneaky 2FA use QR codes embedded in fake payment receipt emails to lure victims. These codes redirect users to phishing pages to harvest credentials and bypass 2FA protections.", "modified": "2025-02-17T19:00:21.114000", "created": "2025-01-18T19:56:47.092000", "tags": [ "sneaky", "sneaky log", "microsoft", "december", "telegram", "aitm", "w3ll ov6", "sekoia", "html code", "khtml", "example", "win64", "june", "mamba", "antibot", "verify", "virustotal", "sharepoint", "tycoon", "bitcoin", "tron", "ov6", "plugx" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OV6", "display_name": "OV6", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 2, "domain": 89, "hostname": 9 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678b3b0383ee2395a9895a53", "name": "CTIA Update File : January 18th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #6175 - AitM Phishing Kit \u201cSneaky 2FA\u201d Targets Microsoft 365 Credentials", "description": "", "modified": "2025-02-17T05:00:31.502000", "created": "2025-01-18T05:24:19.600000", "tags": [ "classification", "confidential", "domains", "cyber", "threat", "january", "time", "crypto cyber", "defence" ], "references": [ "https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 6 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "docuinshare.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "docuinshare.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780186236.6296315 }