{ "type": "Domain", "indicator": "documentsec.online", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/documentsec.online", "alexa": "http://www.alexa.com/siteinfo/documentsec.online", "indicator": "documentsec.online", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4141778204, "indicator": "documentsec.online", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68f756148d1335a1b45d57c2", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group, swiftly shifted operations after their LOSTKEYS malware was exposed in May 2025. They developed new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, within days. The infection chain begins with a COLDCOPY lure disguised as a CAPTCHA, leading to the deployment of NOROBOT, a DLL that retrieves subsequent stages. YESROBOT, a Python backdoor, was briefly used before being replaced by MAYBEROBOT, a more flexible PowerShell backdoor. The malware chain has undergone constant evolution, with COLDRIVER focusing on evading detection while maintaining intelligence collection capabilities against high-value targets. The group's tactics include using HTTPS for command retrieval, encrypting commands, and implementing various evasion techniques.", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-21T09:44:52.570000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "Callisto", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386896, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bdeaf3d697c74bef62d4", "name": "Cyber Threat Advisory - COLDRIVER Unleashes ROBOT Malware Suite Following LOSTKEYS Exposure", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:20:10.554000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 13 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7881fa664f8327961714c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog", "description": "A Russian state-sponsored malware group has re-tooled its operations and launched a new infection chain, according to Google Threat Intelligence Group (GTIG) in a blog post published on 20 October 2025.", "modified": "2025-11-20T13:01:30.038000", "created": "2025-10-21T13:18:23.931000", "tags": [ "coldriver", "mayberobot", "gtig", "norobot", "yesrobot", "june", "iocs", "simplefix", "zscaler", "download", "malware", "python" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "davidscott", "id": "359278", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "YARA": 2, "domain": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86c91d61d56a902ab0add", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:05.275000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86cb4659435739966056c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:40.106000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f89216d00e182e616a7c05", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T08:13:10.853000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f73de43e773506ec25b813", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).", "modified": "2025-11-20T08:01:35.430000", "created": "2025-10-21T08:01:40.742000", "tags": [ "coldcopy domain", "norobot", "yesrobot c2", "june", "coldcopy", "clickfix", "yesrobot", "mayberobot c2", "august" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "domain": 13 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fac33685b766ffedc2d45b", "name": "Twitter Feed - ValidinLLC - 23-10-2025", "description": "", "modified": "2025-10-24T00:07:18.177000", "created": "2025-10-24T00:07:18.177000", "tags": [], "references": [ "https://x.com/ValidinLLC/status/1981324465624510702" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "URL": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/ValidinLLC/status/1981324465624510702", "Oct week.3.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "related": { "alienvault": { "adversary": [ "Callisto" ], "malware_families": [ "Mayberobot", "Lostkeys", "Coldcopy", "Yesrobot", "Norobot" ], "industries": [ "Government", "Ngo" ] }, "other": { "adversary": [ "COLDRIVER", "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor" ], "malware_families": [ "Mayberobot", "Lostkeys", "Coldcopy", "Yesrobot", "Norobot", "Python" ], "industries": [ "Government", "Ngo" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68f756148d1335a1b45d57c2", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group, swiftly shifted operations after their LOSTKEYS malware was exposed in May 2025. They developed new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, within days. The infection chain begins with a COLDCOPY lure disguised as a CAPTCHA, leading to the deployment of NOROBOT, a DLL that retrieves subsequent stages. YESROBOT, a Python backdoor, was briefly used before being replaced by MAYBEROBOT, a more flexible PowerShell backdoor. The malware chain has undergone constant evolution, with COLDRIVER focusing on evading detection while maintaining intelligence collection capabilities against high-value targets. The group's tactics include using HTTPS for command retrieval, encrypting commands, and implementing various evasion techniques.", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-21T09:44:52.570000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "Callisto", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386896, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bdeaf3d697c74bef62d4", "name": "Cyber Threat Advisory - COLDRIVER Unleashes ROBOT Malware Suite Following LOSTKEYS Exposure", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:20:10.554000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 13 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7881fa664f8327961714c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog", "description": "A Russian state-sponsored malware group has re-tooled its operations and launched a new infection chain, according to Google Threat Intelligence Group (GTIG) in a blog post published on 20 October 2025.", "modified": "2025-11-20T13:01:30.038000", "created": "2025-10-21T13:18:23.931000", "tags": [ "coldriver", "mayberobot", "gtig", "norobot", "yesrobot", "june", "iocs", "simplefix", "zscaler", "download", "malware", "python" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "davidscott", "id": "359278", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "YARA": 2, "domain": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86c91d61d56a902ab0add", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:05.275000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86cb4659435739966056c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:40.106000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f89216d00e182e616a7c05", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T08:13:10.853000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f73de43e773506ec25b813", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).", "modified": "2025-11-20T08:01:35.430000", "created": "2025-10-21T08:01:40.742000", "tags": [ "coldcopy domain", "norobot", "yesrobot c2", "june", "coldcopy", "clickfix", "yesrobot", "mayberobot c2", "august" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "domain": 13 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "194 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fac33685b766ffedc2d45b", "name": "Twitter Feed - ValidinLLC - 23-10-2025", "description": "", "modified": "2025-10-24T00:07:18.177000", "created": "2025-10-24T00:07:18.177000", "tags": [], "references": [ "https://x.com/ValidinLLC/status/1981324465624510702" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "URL": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "documentsec.online", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "documentsec.online", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780411279.398772 }