{ "type": "Domain", "indicator": "dotnet.is", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dotnet.is", "alexa": "http://www.alexa.com/siteinfo/dotnet.is", "indicator": "dotnet.is", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3848453907, "indicator": "dotnet.is", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "687e317b5aa778c0ca883f5a", "name": "Technical Analysis of Phishing Campaigns Targeting the Defense Industry Delivering Snake Keylogger", "description": "", "modified": "2025-07-21T12:24:26.372000", "created": "2025-07-21T12:24:26.372000", "tags": [ "sample", "smtp", "snake keylogger", "powershell", "turkey", "chiron", "outlook", "tusa", "industries", "teklif istei", "team", "easy", "antibot", "sandbox", "telegram", "discord" ], "references": [ "https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 2, "domain": 1, "email": 2, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "314 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fdb8fe7f8e1c50fff4e873", "name": "Yara Dump Abuse.ch", "description": "Abuse.ch dump of all community yara uploads.", "modified": "2024-04-21T16:01:18.859000", "created": "2024-03-22T16:59:42.421000", "tags": [ "description", "detects coyote", "yashraj solanki", "cyber threat", "bridewell", "reference", "hash", "rustynoob619", "drainlog", "signalchromeelf", "falsefront", "peach sandstorm", "credits", "vt sample", "twitter", "tlx0b", "diffquasarrat01", "tx0b", "detects tiny", "turla implant", "turla apt", "detect pe", "pyinstaller", "exodus", "binance", "metamask", "binancewallet", "phantom", "metawallet", "temple", "steam", "detects python", "stealer", "temp", "dword ptr", "ldrdata", "cc by", "orderlinks", "ff ff", "rabbithuntcls", "matanet", "b2 c7", "d4 dd", "ee f1", "aa c7", "e4 f8", "vidar binary", "e8 d1", "e8 bf", "e8 e1", "e8 a3", "f9 ff", "c0 xor", "bitter", "tapt17", "cve20180798", "team", "sifalconteam", "white", "bitter maldoc", "loadlibrarya", "shellexecutea", "bader", "orign logger", "cc bysa", "originlogger", "logsettings", "assembly", "binder", "installation", "options", "downloader", "detects elusive", "stealer malware", "yogesh londhe", "originbot", "bitsight", "cc byncsa", "windows nt", "win64", "post", "tripledes", "detects", "packages", "findfirstfile", "findnextfile", "heapwalk", "mapviewoffile", "switchtofiber", "deletefiber", "findfirstfileex", "writefile", "raiseexception", "matthew", "embeeresearch", "stealc", "cc bync", "find bumblebee", "mmmapiospace", "physicalmemory", "spica backdoor", "callisto", "rust", "apt coldriver", "go bear", "backdoor", "kimsuky", "pe export", "file", "hunting rule", "lockbit", "your", "detects rusty", "bcryptgenrandom", "chat3ux", "lucastealer", "lucasstealer", "credit", "laplas clipper", "debug", "first stage", "second stage", "desktop", "ransomware", "itssoeasy", "keyprocedure", "base64", "decrypt", "whoops", "identifier", "l2lkzw50awzpzxi", "lml0c3nvzwfzeq", "nymaim", "chaitanya", "nymaim loader", "detects troll", "clear", "andre gironda", "andregironda", "detects dice", "loader malware", "fin7 apt", "sekoia", "bitcoin genesis", "block", "eaxecx", "eaxecx1", "edx4", "trojan upatre", "detects upatre", "trojan variant", "host", "user execution", "module load", "t1064", "lodsb", "chinise", "helpcf", "legalcopyright", "detects pikabot", "pe import", "pr0xylife", "embeddedrtffile", "dhaeyerwolf", "cve202336884", "d0 cf", "e0 a1", "word", "msworddoc", "powerpoint", "microsoft excel", "detect", "itssoeasya", "e3 bd", "a4 c4", "guid", "onenote", "emotet", "view", "phorpiex", "publichtml", "htdocs", "httpdocs", "share", "income", "c start", "c rmdir", "detects neshta", "belarusian file", "delphi", "belarus", "apanas", "main0x5", "actor", "author", "jpg20001", "jpg20002", "ff d8", "select", "limerat", "detects lime", "rat malware", "f sc", "onlogon rl", "highest", "pstart", "khtml", "gecko", "service", "pxor", "ff c", "raccoonv2", "yara", "detects raccoon", "stealer version", "recordbreaker", "industrialspy", "storm0978", "magicmsg", "magiceml", "magicics", "appointment", "susuncinemail", "looks", "unc string", "magic", "virtualprotect", "amadey", "c2 traffic", "af09", "support", "android malware", "microsoft", "android support", "library", "p4nd3m1cb0y", "vxlangpacker", "vxlang", "released", "threat actor", "lazarus", "baoshengbincumt", "pecompact2", "code00401000 b8", "code00401005", "code00401006", "code0040100d", "code00401014", "code00401016", "rndhex", "rndchar", "xorcrypt", "tofsee malware", "f6 d9", "c1 eb", "c0 e1", "f7 fb", "detects mimic", "mimic", "delete shadow", "copies", "loading", "news penguin", "pakistan", "mustang panda", "ta416", "new year", "themed campaign", "smica83", "suyog41", "file hash", "detects planet", "source", "filehash", "go buildinf", "upx0", "sendhttprequest", "detects lnk", "matches", "lnk dropper", "apt backdoor", "ding2", "ding1", "ankit anubhav", "vbscripts", "a rule", "cryptderivekey", "size", "lockbit black", "version", "high entropy", "july", "wingsofgod", "windows version", "wograt malware", "developed", "maas loader", "ebpvar8", "byte ptr", "ebpvar10", "xor al", "trojan darkme", "detects darkme", "xchg eax", "cmpsd", "esi8", "fadd", "detects hydra", "uninstall", "detects x86", "bifrost rat", "targeting linux", "falcon", "detects zip", "cve202338831", "winrar", "exploit", "t1203", "crimeware", "lnkheader", "isolnkjscmddll", "detects iso", "gcleaner", "accept", "c taskkill", "http analyzer", "wireshark", "networkminer", "internalname", "detects tuga", "arefileapisansi", "getusernamew", "virtualfree", "closehandle", "blackberry", "rule", "matanbuchusmsi2", "matanbuchus msi", "html smuggling", "ta570", "qakbot", "research", "find mx", "mandafirma", "firmasanta", "actualiza", "attempts", "pikabot maldoc", "zip file", "x73x70x6cx69x74", "x73x6cx69x63x65", "slice", "x63x61x6cx6c", "computeus7", "new code", "header", "web client", "download data", "qakbot new", "campaign iso", "cd001", "unicode file", "windows", "systemroot", "ijg jpeg", "cleandir", "ssh hi", "change config", "stop vmx", "kill vmx", "grep", "sfx archive", "setup", "faild", "hijacjbmppath", "unexist", "sendparam", "injector", "qbot", "detects zipline", "procselfexe", "rtlallocateheap", "detects strela", "hook", "detects office", "html injection", "ee df", "df ee", "nicklas keijser", "truesec", "detection", "babuk", "does", "whole", "a7 dc", "eb be", "detects phobos", "romania", "rekoobe linux", "ab cd", "dc ba", "f0 e1", "d2 c3", "encrypt", "sosemanuk", "findcrypt3 rule", "l1522", "b5 cd", "cc de", "eb b5", "detects malware", "romcom threat", "naumovax", "ordinal", "ghislerstealer1", "ghisler golang", "go stealer", "post sendlog", "userid http", "switchtothread", "ghisler", "note", "ransomwareslug", "slug ransomware", "contact", "anydesk windows", "roth", "anydesk", "scarecrow", "gogc", "state", "aurora stealer", "user datalocal", "reconnect", "user", "screenshot", "crypto", "billy austin", "detects tofsee", "gheg", "tofsee", "outlookbnd", "outlookmid", "telegram", "xml manifest", "rise pro", "pe rich", "false", "applaunch", "yarahub", "c1 e1", "e3 ff", "windarkgate", "hotels", "asyncrat", "azaz09", "malicious pypi", "lazarus group", "pdb paths", "defender", "windefend", "maintenance", "disabledefender", "files", "center", "setservice name", "refresh", "button", "press", "install", "extract", "browse", "winrar sfx", "x0dn", "getserver", "c0 eb", "c0 f7", "cf ff", "c3 b8", "f8 b9", "ff e7", "russianpanda9xx", "detects wiki", "loader", "thanks", "mangusta", "final payload", "trojan", "brazil", "icedidiso", "icedid iso", "busybox reverse", "shell", "heapbufferptr", "marc salinas", "checkpoint", "bumblebee", "call", "getprocessheap", "xor edx", "heapalloc", "zander work", "pythonmasepie", "masepie malware", "python script", "ascii", "buffersize", "guidwsf", "vbscript", "variant", "ta570ta577", "d8 a7", "ae b1", "regdelete", "involves", "tok1", "look", "goodwarehash", "cve202230190", "directory", "relationships", "targetmode", "xor ax", "c3 f7", "ff d6", "wallet", "enkrypt", "braavos", "exodus web3", "trust wallet", "tronium", "opera wallet", "detects xeno", "ransomware lnk", "windows update", "mutexx", "usbs", "appmutex", "getencoderinfo", "stobs64", "aesdecryptor", "aesencryptor", "indate", "ping", "agent tesla", "identify", "anyburn", "nils kuhnert", "isos", "avemaria", "persistence", "midgetporn", "danabot122023", "russianpanda", "danabot", "anfam17", "varp0s", "modification", "linuxmalware", "detect linux", "linux", "mac file", "defense evasion", "b7 fe", "ca ef", "dll loader", "nspx30 implant", "black wood", "detects white", "snake stealer", "downloaddata", "detects ov3r", "facebook ads", "error", "response", "task", "download", "execute", "listen", "modernloader", "b6 c0", "icedid family", "b6 f2", "b6 c9", "f7 f5", "fe c3", "b6 db", "b6 d1", "winhttpconnect", "null terminator", "regex", "xc6x85", "xc6x84x24", "xc6x45", "xc7x45", "xffxff", "xffxffx00", "esp0bh", "playransomware", "detects play", "mickal walter", "itracing", "opaquekeyblob", "open source", "brecht sanders", "pe imphash", "phemedrone", "antivm", "strelastealer", "studio", "strela", "erbium stealer", "file type", "amadey bot", "samples", "almond rat", "qi anxin", "sean dalnodar", "detects rwxs", "bill demirkapi", "zig zig", "zigrich", "zpaq", "zpaq alg", "a2 f1", "b9 de", "b8 f4", "fa ff", "developer", "maael hoerz", "ransomware iso", "iso magic", "dos mode", "office", "malware", "powershell", "sub autoopen", "getobject", "batch", "detects custom", "abcd", "detects reverse", "manifests", "entrypoint", "qakbotwsfloader", "wsf loader", "qakbot dll", "request", "f8 c6", "addr", "limeratadmin", "minning", "lu0bot malware", "winexec", "exitprocess", "callbyname", "companyname", "filedescription", "productname", "getmacid", "proofpoint", "form", "dfir report", "yara rule", "set author", "date", "bazar", "rule set", "search", "parella javan", "exotismwaura", "tmptmpy8thnb", "openslpport", "binsh", "httpserver", "postserver", "detects krusty", "synacktiv", "watchdog module", "remcos", "caliber", "caliber stealer", "lure", "connect", "javascript", "pngs", "detects nevada", "shadow", "detects stealc", "sampletest", "tested", "imminentplugins", "battery", "ram usage", "graphics card", "firewall", "antivirus", "mac address", "internetopenurl", "httpqueryinfo", "deletefile", "openprocess", "process32first", "process32next", "shellexecute", "push", "xor eax", "ff5508", "ff15", "felix bilstein", "disclaimer", "disassembly", "malpedia", "alexanderhatala", "paas", "antibots7", "erbiumloader", "detects erbium", "detects qbot", "html", "uesdb", "vuvzrejc", "cjerzvuv", "ihimerwp", "globalnet", "originloader", "vidar" ], "references": [ "DLL_BankingTrojan_Coyote_Feb2024.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "Diff_QuasarRAT_01.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "globalnet_files.yar", "EXE_Stealer_Atlantida.yar", "EXE_Python_Stealer_Jan2024.yar", "meth_peb_parsing.yar", "RABBITHUNT_cls.yar", "vidar_stealer_unpacked.yar", "APT_Bitter_Maldoc_Verify.yar", "win_origin_logger_b5c8.yar", "EXE_Stealer_Elusive_Feb2024.yar", "win_originbot.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "bumblebee_win_generic.yar", "yarahub_win_stealc_bytecodes_oct_2023.yar", "loader_win_bumblebee.yar", "signed_sys_with_vulnerablity.yar", "EXE_Backdoor_Rust_March2024.yar", "EXE_Backdoor_GoBear_Feb2024.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "lockbitblack_ransomnote.yar", "EXE_Stealer_RustyStealer_Feb2024.yar", "LucaStealer.yar", "win_laplas_clipper_9c96.yar", "koi_loader.yar", "ItsSoEasy_Ransomware_C_Var.yar", "Nymaim.yar", "EXE_Stealer_TrollStealer_Feb2024.yar", "PseudoManuscriptLoader.yar", "SVCReady_Packed.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "win_bitcoin_genesis_b9_ce9f.yar", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "yes.yar", "DLL_Unknown_China_Feb2024.yar", "DLL_Loader_Pikabot_March2024.yar", "Embedded_RTF_File.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "ItsSoEasy_Ransomware_basic.yar", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "win_phorpiex_a_84fc.yar", "EXE_Virus_Neshta_March2024.yar", "meth_get_eip.yar", "DLL_Loader_Wineloader_March2024.yar", "OneNote_EmbeddedFiles_NoPictures.yar", "LimeRAT.yar", "privateloader.yar", "RaccoonV2.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "SUS_UNC_InEmail.yar", "redline_win_generic.yar", "win_amadey_a9f4.yar", "Android_Backdoor_Xamalicious.yar", "VxLang_Packer.yar", "DLL_North_Korean_Lazarus_March2024.yar", "pe_packer_pecompact2.yar", "win_tofsee_bot.yar", "crashedtech_loader.yar", "EXE_Ransomware_Mimic.yar", "DLL_News_Penguin_Feb2024.yar", "DLL_Mustang_Panda_March2024.yar", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "EXE_Stealer_Planet_March2024.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "Chinese_APT_Backdoor.yar", "Guloader_VBScript.yar", "bruteratelc4.yar", "RANSOM_Lockbit_Black_Packer.yar", "SocGholish_Variant_B.yar", "DLL_RAT_WogRAT_March2024.yar", "win_matanbuchus.yar", "WIN32_MAL_TROJ_DARKME.yar", "Android_BankingTrojan_Hydra.yar", "ELF_RAT_Bifrost_March2024.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "ISO_LNK_JS_CMD_DLL.yar", "win_gcleaner_de41.yar", "ItsSoEasy_Ransomware.yar", "EXE_Ransomware_Tuga_March2024.yar", "RABBITHUNT_loader.yar", "LockBit3_ransomware.yar", "Matanbuchus_MSI_2.yar", "MX_fin_custom_allakore_rat.yar", "PikaBot_Stage1_20240222.yar", "Powerpoint_Code_Execution.yar", "Qakbot_IsoCampaign.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "SelfExtractingRAR.yar", "PUPPETLOADER_loader.yar", "unpacked_qbot.yar", "ELF_Backdoor_ZipLine_Feb2024.yar", "win_colibriloader.yar", "win_strelastealer.yar", "android_apk_hook.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "babuk_copycat_esxi.yar", "EXE_Ransomware_Phobos_Feb2024.yar", "elf_rekoobe_b3_06c9.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "EXE_Trojan_RomCom_Feb2024.yar", "EXE_Unknown_Backdoor_March2024.yar", "BruteRatelConfig.yar", "GHISLER_Stealer_1.yar", "pe_no_import_table.yar", "lnk_from_chinese.yar", "Ransomware_SLug.yar", "Sus_AnyDesk_Attempts_Feb2024.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "ScareCrow_Malware.yar", "win_aurora_stealer_a_706a.yar", "tofsee_yhub.yar", "win_xfiles_stealer_a8b373fb.yar", "EXE_Stealer_RisePro_Jan2024.yar", "AppLaunch.yar", "PassProtected_ZIP_ISO_file.yar", "Win_DarkGate.yar", "LATAMHotel_Obfuscated_BAT.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "Disable_Defender.yar", "sfx_pdb_winrar_restrict.yar", "Detect_SliverFox_String.yar", "EXE_Stealer_CryptBot_March2024.yar", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "IcedID_ISO.yar", "ELF_Implant_COATHANGER_Feb2024.yar", "malware_bumblebee_packed.yar", "LockbitBlack_Loader.yar", "Python_MasePie.yar", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "QakBot_OneNote_Loader.yar", "Old_Code__Signature_AnyDesk_Feb2024.yar", "SUSP_Doc_WordXMLRels_May22.yar", "vulnerablity_driver2_PhysicalMemory.yar", "win_colibriloader_unpacked.yar", "win_vidar_a_a901.yar", "DLL_RAT_Xeno_Feb2024.yar", "RANSOM_Magniber_LNK_Jan23.yar", "win_xwormmm_s1_6f74.yar", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "anyburn_iso_with_date.yar", "avemaria_rat_yhub.yar", "DanaBot_12_2023.yar", "detect_Redline_Stealer_V2.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "win_modern_loader_v1_01_1edf.yar", "Icedid_Unpacked_in_Memory.yar", "meth_stackstrings.yar", "Play_Ransomware.yar", "EXE_RAT_vxRAT_March2024.yar", "EXE_Stealer_Strela_March2024.yar", "sqlcmd_loader.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "StrelaStealer.yar", "win_erbium_stealer_a1_2622.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "win_amadey_bytecodes_oct_2023.yar", "APT_Bitter_PDB_Paths.yar", "binaryObfuscation.yar", "detect_RWS_pe_rule.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "Erbium_Stealer_Obfuscated.yar", "ZPAQ.yar", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "ItsSoEasy_Ransomware_Py_Var.yar", "RANSOM_Magniber_ISO_Jan23.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "SocGholish_Custom_Base64.yar", "SocGholish_Obfuscated.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "Qakbot_WSF_loader.yar", "win_agent_tesla_ab4444e9.yar", "win_danabot_cdf38827.yar", "win_limerat_j1_00cfd931.yar", "win_lu0bot_loader_1d53.yar", "agenttesla_win_generic.yar", "APT_Bitter_Almond_RAT.yar", "unk_phishkit.yar", "cobalt_strike_tmp01925d3f.yar", "detect_Redline_Stealer.yar", "hunt_redline_stealer.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "EXE_Ransomware_Nevada_Feb2024.yar", "EXE_Stealer_StealC_Feb2024.yar", "win_imminentrat_j1_7e208e97.yar", "recordbreaker_win_generic.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "win_qakbot_malped.yar", "PaaS_SpearPhishing_Feb23.yar", "Erbium_Loader.yar", "win_Eternity.yar", "QBOT_HTMLSmuggling_a.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlobalNet", "display_name": "GlobalNet", "target": null }, { "id": "OriginLoader", "display_name": "OriginLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Detects UPATRE", "display_name": "Detects UPATRE", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "twizz619", "id": "188477", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 138, "FileHash-SHA256": 181, "domain": 25, "YARA": 162, "URL": 23, "CVE": 4, "hostname": 10, "email": 4 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Qakbot_WSF_loader.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "cobalt_strike_tmp01925d3f.yar", "win_agent_tesla_ab4444e9.yar", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "Icedid_Unpacked_in_Memory.yar", "signed_sys_with_vulnerablity.yar", "Nymaim.yar", "PseudoManuscriptLoader.yar", "RABBITHUNT_cls.yar", "win_tofsee_bot.yar", "ItsSoEasy_Ransomware_Py_Var.yar", "yes.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "Diff_QuasarRAT_01.yar", "detect_RWS_pe_rule.yar", "loader_win_bumblebee.yar", "Disable_Defender.yar", "win_erbium_stealer_a1_2622.yar", "PaaS_SpearPhishing_Feb23.yar", "tofsee_yhub.yar", "vidar_stealer_unpacked.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "EXE_Backdoor_Rust_March2024.yar", "ELF_Implant_COATHANGER_Feb2024.yar", "lnk_from_chinese.yar", "Erbium_Stealer_Obfuscated.yar", "EXE_Stealer_Planet_March2024.yar", "win_vidar_a_a901.yar", "Android_Backdoor_Xamalicious.yar", "APT_Bitter_Maldoc_Verify.yar", "vulnerablity_driver2_PhysicalMemory.yar", "QBOT_HTMLSmuggling_a.yar", "elf_rekoobe_b3_06c9.yar", "sqlcmd_loader.yar", "RABBITHUNT_loader.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "SUS_UNC_InEmail.yar", "StrelaStealer.yar", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "win_lu0bot_loader_1d53.yar", "koi_loader.yar", "win_imminentrat_j1_7e208e97.yar", "SocGholish_Obfuscated.yar", "IcedID_ISO.yar", "avemaria_rat_yhub.yar", "Python_MasePie.yar", "DLL_RAT_WogRAT_March2024.yar", "win_xfiles_stealer_a8b373fb.yar", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "LATAMHotel_Obfuscated_BAT.yar", "APT_Bitter_Almond_RAT.yar", "Powerpoint_Code_Execution.yar", "agenttesla_win_generic.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "privateloader.yar", "EXE_Ransomware_Phobos_Feb2024.yar", "crashedtech_loader.yar", "ScareCrow_Malware.yar", "DLL_Loader_Wineloader_March2024.yar", "win_matanbuchus.yar", "EXE_Stealer_Elusive_Feb2024.yar", "ISO_LNK_JS_CMD_DLL.yar", "LockBit3_ransomware.yar", "EXE_Backdoor_GoBear_Feb2024.yar", "AppLaunch.yar", "meth_stackstrings.yar", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "unk_phishkit.yar", "win_amadey_bytecodes_oct_2023.yar", "redline_win_generic.yar", "ItsSoEasy_Ransomware_basic.yar", "EXE_Ransomware_Nevada_Feb2024.yar", "win_gcleaner_de41.yar", "SocGholish_Custom_Base64.yar", "DLL_News_Penguin_Feb2024.yar", "APT_Bitter_PDB_Paths.yar", "win_Eternity.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "bumblebee_win_generic.yar", "RANSOM_Lockbit_Black_Packer.yar", "LimeRAT.yar", "hunt_redline_stealer.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "Ransomware_SLug.yar", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "lockbitblack_ransomnote.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "win_laplas_clipper_9c96.yar", "EXE_Unknown_Backdoor_March2024.yar", "detect_Redline_Stealer.yar", "win_modern_loader_v1_01_1edf.yar", "Qakbot_IsoCampaign.yar", "EXE_Virus_Neshta_March2024.yar", "DLL_Unknown_China_Feb2024.yar", "DLL_Loader_Pikabot_March2024.yar", "EXE_Stealer_RustyStealer_Feb2024.yar", "EXE_Stealer_RisePro_Jan2024.yar", "bruteratelc4.yar", "win_aurora_stealer_a_706a.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "Old_Code__Signature_AnyDesk_Feb2024.yar", "globalnet_files.yar", "yarahub_win_stealc_bytecodes_oct_2023.yar", "Chinese_APT_Backdoor.yar", "PikaBot_Stage1_20240222.yar", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites", "EXE_Stealer_Atlantida.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "RANSOM_Magniber_ISO_Jan23.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "ItsSoEasy_Ransomware_C_Var.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "PUPPETLOADER_loader.yar", "win_colibriloader_unpacked.yar", "win_phorpiex_a_84fc.yar", "PassProtected_ZIP_ISO_file.yar", "BruteRatelConfig.yar", "SocGholish_Variant_B.yar", "LucaStealer.yar", "Matanbuchus_MSI_2.yar", "ELF_Backdoor_ZipLine_Feb2024.yar", "android_apk_hook.yar", "DanaBot_12_2023.yar", "binaryObfuscation.yar", "win_qakbot_malped.yar", "Play_Ransomware.yar", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en", "meth_peb_parsing.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "Erbium_Loader.yar", "win_colibriloader.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "EXE_Stealer_Strela_March2024.yar", "RANSOM_Magniber_LNK_Jan23.yar", "EXE_Python_Stealer_Jan2024.yar", "win_bitcoin_genesis_b9_ce9f.yar", "meth_get_eip.yar", "DLL_North_Korean_Lazarus_March2024.yar", "EXE_Trojan_RomCom_Feb2024.yar", "DLL_RAT_Xeno_Feb2024.yar", "DLL_BankingTrojan_Coyote_Feb2024.yar", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "anyburn_iso_with_date.yar", "EXE_Stealer_CryptBot_March2024.yar", "recordbreaker_win_generic.yar", "win_amadey_a9f4.yar", "ELF_RAT_Bifrost_March2024.yar", "OneNote_EmbeddedFiles_NoPictures.yar", "GHISLER_Stealer_1.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "win_danabot_cdf38827.yar", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "detect_Redline_Stealer_V2.yar", "babuk_copycat_esxi.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "EXE_RAT_vxRAT_March2024.yar", "EXE_Ransomware_Tuga_March2024.yar", "win_limerat_j1_00cfd931.yar", "Win_DarkGate.yar", "WIN32_MAL_TROJ_DARKME.yar", "pe_packer_pecompact2.yar", "unpacked_qbot.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "SelfExtractingRAR.yar", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "Guloader_VBScript.yar", "MX_fin_custom_allakore_rat.yar", "win_origin_logger_b5c8.yar", "Detect_SliverFox_String.yar", "Android_BankingTrojan_Hydra.yar", "win_xwormmm_s1_6f74.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "win_originbot.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "DLL_Mustang_Panda_March2024.yar", "https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger", "EXE_Stealer_TrollStealer_Feb2024.yar", "ItsSoEasy_Ransomware.yar", "LockbitBlack_Loader.yar", "SUSP_Doc_WordXMLRels_May22.yar", "QakBot_OneNote_Loader.yar", "EXE_Ransomware_Mimic.yar", "RaccoonV2.yar", "pe_no_import_table.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "Embedded_RTF_File.yar", "malware_bumblebee_packed.yar", "sfx_pdb_winrar_restrict.yar", "EXE_Stealer_StealC_Feb2024.yar", "Sus_AnyDesk_Attempts_Feb2024.yar", "win_strelastealer.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/", "ZPAQ.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "VxLang_Packer.yar", "SVCReady_Packed.yar" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Figure" ], "malware_families": [ "Grimpull", "Nymaim", "Globalnet", "Xworm", "Frostrift", "Starkveil", "Vidar", "Detects upatre", "Originloader", "Threat intelligence" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "687e317b5aa778c0ca883f5a", "name": "Technical Analysis of Phishing Campaigns Targeting the Defense Industry Delivering Snake Keylogger", "description": "", "modified": "2025-07-21T12:24:26.372000", "created": "2025-07-21T12:24:26.372000", "tags": [ "sample", "smtp", "snake keylogger", "powershell", "turkey", "chiron", "outlook", "tusa", "industries", "teklif istei", "team", "easy", "antibot", "sandbox", "telegram", "discord" ], "references": [ "https://www.malwation.com/blog/technical-analysis-of-phishing-campaigns-targeting-the-defense-industry-delivering-snake-keylogger" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 2, "domain": 1, "email": 2, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "314 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fdb8fe7f8e1c50fff4e873", "name": "Yara Dump Abuse.ch", "description": "Abuse.ch dump of all community yara uploads.", "modified": "2024-04-21T16:01:18.859000", "created": "2024-03-22T16:59:42.421000", "tags": [ "description", "detects coyote", "yashraj solanki", "cyber threat", "bridewell", "reference", "hash", "rustynoob619", "drainlog", "signalchromeelf", "falsefront", "peach sandstorm", "credits", "vt sample", "twitter", "tlx0b", "diffquasarrat01", "tx0b", "detects tiny", "turla implant", "turla apt", "detect pe", "pyinstaller", "exodus", "binance", "metamask", "binancewallet", "phantom", "metawallet", "temple", "steam", "detects python", "stealer", "temp", "dword ptr", "ldrdata", "cc by", "orderlinks", "ff ff", "rabbithuntcls", "matanet", "b2 c7", "d4 dd", "ee f1", "aa c7", "e4 f8", "vidar binary", "e8 d1", "e8 bf", "e8 e1", "e8 a3", "f9 ff", "c0 xor", "bitter", "tapt17", "cve20180798", "team", "sifalconteam", "white", "bitter maldoc", "loadlibrarya", "shellexecutea", "bader", "orign logger", "cc bysa", "originlogger", "logsettings", "assembly", "binder", "installation", "options", "downloader", "detects elusive", "stealer malware", "yogesh londhe", "originbot", "bitsight", "cc byncsa", "windows nt", "win64", "post", "tripledes", "detects", "packages", "findfirstfile", "findnextfile", "heapwalk", "mapviewoffile", "switchtofiber", "deletefiber", "findfirstfileex", "writefile", "raiseexception", "matthew", "embeeresearch", "stealc", "cc bync", "find bumblebee", "mmmapiospace", "physicalmemory", "spica backdoor", "callisto", "rust", "apt coldriver", "go bear", "backdoor", "kimsuky", "pe export", "file", "hunting rule", "lockbit", "your", "detects rusty", "bcryptgenrandom", "chat3ux", "lucastealer", "lucasstealer", "credit", "laplas clipper", "debug", "first stage", "second stage", "desktop", "ransomware", "itssoeasy", "keyprocedure", "base64", "decrypt", "whoops", "identifier", "l2lkzw50awzpzxi", "lml0c3nvzwfzeq", "nymaim", "chaitanya", "nymaim loader", "detects troll", "clear", "andre gironda", "andregironda", "detects dice", "loader malware", "fin7 apt", "sekoia", "bitcoin genesis", "block", "eaxecx", "eaxecx1", "edx4", "trojan upatre", "detects upatre", "trojan variant", "host", "user execution", "module load", "t1064", "lodsb", "chinise", "helpcf", "legalcopyright", "detects pikabot", "pe import", "pr0xylife", "embeddedrtffile", "dhaeyerwolf", "cve202336884", "d0 cf", "e0 a1", "word", "msworddoc", "powerpoint", "microsoft excel", "detect", "itssoeasya", "e3 bd", "a4 c4", "guid", "onenote", "emotet", "view", "phorpiex", "publichtml", "htdocs", "httpdocs", "share", "income", "c start", "c rmdir", "detects neshta", "belarusian file", "delphi", "belarus", "apanas", "main0x5", "actor", "author", "jpg20001", "jpg20002", "ff d8", "select", "limerat", "detects lime", "rat malware", "f sc", "onlogon rl", "highest", "pstart", "khtml", "gecko", "service", "pxor", "ff c", "raccoonv2", "yara", "detects raccoon", "stealer version", "recordbreaker", "industrialspy", "storm0978", "magicmsg", "magiceml", "magicics", "appointment", "susuncinemail", "looks", "unc string", "magic", "virtualprotect", "amadey", "c2 traffic", "af09", "support", "android malware", "microsoft", "android support", "library", "p4nd3m1cb0y", "vxlangpacker", "vxlang", "released", "threat actor", "lazarus", "baoshengbincumt", "pecompact2", "code00401000 b8", "code00401005", "code00401006", "code0040100d", "code00401014", "code00401016", "rndhex", "rndchar", "xorcrypt", "tofsee malware", "f6 d9", "c1 eb", "c0 e1", "f7 fb", "detects mimic", "mimic", "delete shadow", "copies", "loading", "news penguin", "pakistan", "mustang panda", "ta416", "new year", "themed campaign", "smica83", "suyog41", "file hash", "detects planet", "source", "filehash", "go buildinf", "upx0", "sendhttprequest", "detects lnk", "matches", "lnk dropper", "apt backdoor", "ding2", "ding1", "ankit anubhav", "vbscripts", "a rule", "cryptderivekey", "size", "lockbit black", "version", "high entropy", "july", "wingsofgod", "windows version", "wograt malware", "developed", "maas loader", "ebpvar8", "byte ptr", "ebpvar10", "xor al", "trojan darkme", "detects darkme", "xchg eax", "cmpsd", "esi8", "fadd", "detects hydra", "uninstall", "detects x86", "bifrost rat", "targeting linux", "falcon", "detects zip", "cve202338831", "winrar", "exploit", "t1203", "crimeware", "lnkheader", "isolnkjscmddll", "detects iso", "gcleaner", "accept", "c taskkill", "http analyzer", "wireshark", "networkminer", "internalname", "detects tuga", "arefileapisansi", "getusernamew", "virtualfree", "closehandle", "blackberry", "rule", "matanbuchusmsi2", "matanbuchus msi", "html smuggling", "ta570", "qakbot", "research", "find mx", "mandafirma", "firmasanta", "actualiza", "attempts", "pikabot maldoc", "zip file", "x73x70x6cx69x74", "x73x6cx69x63x65", "slice", "x63x61x6cx6c", "computeus7", "new code", "header", "web client", "download data", "qakbot new", "campaign iso", "cd001", "unicode file", "windows", "systemroot", "ijg jpeg", "cleandir", "ssh hi", "change config", "stop vmx", "kill vmx", "grep", "sfx archive", "setup", "faild", "hijacjbmppath", "unexist", "sendparam", "injector", "qbot", "detects zipline", "procselfexe", "rtlallocateheap", "detects strela", "hook", "detects office", "html injection", "ee df", "df ee", "nicklas keijser", "truesec", "detection", "babuk", "does", "whole", "a7 dc", "eb be", "detects phobos", "romania", "rekoobe linux", "ab cd", "dc ba", "f0 e1", "d2 c3", "encrypt", "sosemanuk", "findcrypt3 rule", "l1522", "b5 cd", "cc de", "eb b5", "detects malware", "romcom threat", "naumovax", "ordinal", "ghislerstealer1", "ghisler golang", "go stealer", "post sendlog", "userid http", "switchtothread", "ghisler", "note", "ransomwareslug", "slug ransomware", "contact", "anydesk windows", "roth", "anydesk", "scarecrow", "gogc", "state", "aurora stealer", "user datalocal", "reconnect", "user", "screenshot", "crypto", "billy austin", "detects tofsee", "gheg", "tofsee", "outlookbnd", "outlookmid", "telegram", "xml manifest", "rise pro", "pe rich", "false", "applaunch", "yarahub", "c1 e1", "e3 ff", "windarkgate", "hotels", "asyncrat", "azaz09", "malicious pypi", "lazarus group", "pdb paths", "defender", "windefend", "maintenance", "disabledefender", "files", "center", "setservice name", "refresh", "button", "press", "install", "extract", "browse", "winrar sfx", "x0dn", "getserver", "c0 eb", "c0 f7", "cf ff", "c3 b8", "f8 b9", "ff e7", "russianpanda9xx", "detects wiki", "loader", "thanks", "mangusta", "final payload", "trojan", "brazil", "icedidiso", "icedid iso", "busybox reverse", "shell", "heapbufferptr", "marc salinas", "checkpoint", "bumblebee", "call", "getprocessheap", "xor edx", "heapalloc", "zander work", "pythonmasepie", "masepie malware", "python script", "ascii", "buffersize", "guidwsf", "vbscript", "variant", "ta570ta577", "d8 a7", "ae b1", "regdelete", "involves", "tok1", "look", "goodwarehash", "cve202230190", "directory", "relationships", "targetmode", "xor ax", "c3 f7", "ff d6", "wallet", "enkrypt", "braavos", "exodus web3", "trust wallet", "tronium", "opera wallet", "detects xeno", "ransomware lnk", "windows update", "mutexx", "usbs", "appmutex", "getencoderinfo", "stobs64", "aesdecryptor", "aesencryptor", "indate", "ping", "agent tesla", "identify", "anyburn", "nils kuhnert", "isos", "avemaria", "persistence", "midgetporn", "danabot122023", "russianpanda", "danabot", "anfam17", "varp0s", "modification", "linuxmalware", "detect linux", "linux", "mac file", "defense evasion", "b7 fe", "ca ef", "dll loader", "nspx30 implant", "black wood", "detects white", "snake stealer", "downloaddata", "detects ov3r", "facebook ads", "error", "response", "task", "download", "execute", "listen", "modernloader", "b6 c0", "icedid family", "b6 f2", "b6 c9", "f7 f5", "fe c3", "b6 db", "b6 d1", "winhttpconnect", "null terminator", "regex", "xc6x85", "xc6x84x24", "xc6x45", "xc7x45", "xffxff", "xffxffx00", "esp0bh", "playransomware", "detects play", "mickal walter", "itracing", "opaquekeyblob", "open source", "brecht sanders", "pe imphash", "phemedrone", "antivm", "strelastealer", "studio", "strela", "erbium stealer", "file type", "amadey bot", "samples", "almond rat", "qi anxin", "sean dalnodar", "detects rwxs", "bill demirkapi", "zig zig", "zigrich", "zpaq", "zpaq alg", "a2 f1", "b9 de", "b8 f4", "fa ff", "developer", "maael hoerz", "ransomware iso", "iso magic", "dos mode", "office", "malware", "powershell", "sub autoopen", "getobject", "batch", "detects custom", "abcd", "detects reverse", "manifests", "entrypoint", "qakbotwsfloader", "wsf loader", "qakbot dll", "request", "f8 c6", "addr", "limeratadmin", "minning", "lu0bot malware", "winexec", "exitprocess", "callbyname", "companyname", "filedescription", "productname", "getmacid", "proofpoint", "form", "dfir report", "yara rule", "set author", "date", "bazar", "rule set", "search", "parella javan", "exotismwaura", "tmptmpy8thnb", "openslpport", "binsh", "httpserver", "postserver", "detects krusty", "synacktiv", "watchdog module", "remcos", "caliber", "caliber stealer", "lure", "connect", "javascript", "pngs", "detects nevada", "shadow", "detects stealc", "sampletest", "tested", "imminentplugins", "battery", "ram usage", "graphics card", "firewall", "antivirus", "mac address", "internetopenurl", "httpqueryinfo", "deletefile", "openprocess", "process32first", "process32next", "shellexecute", "push", "xor eax", "ff5508", "ff15", "felix bilstein", "disclaimer", "disassembly", "malpedia", "alexanderhatala", "paas", "antibots7", "erbiumloader", "detects erbium", "detects qbot", "html", "uesdb", "vuvzrejc", "cjerzvuv", "ihimerwp", "globalnet", "originloader", "vidar" ], "references": [ "DLL_BankingTrojan_Coyote_Feb2024.yar", "Dll_Backdoor_FalseFront_Jan2024.yar", "Diff_QuasarRAT_01.yar", "DLL_TinyTurla_Strings_Feb2024.yar", "globalnet_files.yar", "EXE_Stealer_Atlantida.yar", "EXE_Python_Stealer_Jan2024.yar", "meth_peb_parsing.yar", "RABBITHUNT_cls.yar", "vidar_stealer_unpacked.yar", "APT_Bitter_Maldoc_Verify.yar", "win_origin_logger_b5c8.yar", "EXE_Stealer_Elusive_Feb2024.yar", "win_originbot.yar", "SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar", "bumblebee_win_generic.yar", "yarahub_win_stealc_bytecodes_oct_2023.yar", "loader_win_bumblebee.yar", "signed_sys_with_vulnerablity.yar", "EXE_Backdoor_Rust_March2024.yar", "EXE_Backdoor_GoBear_Feb2024.yar", "MALWARE_APT29_SVG_Delivery_Jul23.yar", "lockbitblack_ransomnote.yar", "EXE_Stealer_RustyStealer_Feb2024.yar", "LucaStealer.yar", "win_laplas_clipper_9c96.yar", "koi_loader.yar", "ItsSoEasy_Ransomware_C_Var.yar", "Nymaim.yar", "EXE_Stealer_TrollStealer_Feb2024.yar", "PseudoManuscriptLoader.yar", "SVCReady_Packed.yar", "DLL_DiceLoader_Fin7_Feb2024.yar", "win_bitcoin_genesis_b9_ce9f.yar", "WIN32_MAL_TROJ_UPATRE_SMBG.yar", "yes.yar", "DLL_Unknown_China_Feb2024.yar", "DLL_Loader_Pikabot_March2024.yar", "Embedded_RTF_File.yar", "yarahub_win_njrat_bytecodes_V2_oct_2023.yar", "ItsSoEasy_Ransomware_basic.yar", "MALWARE_Emotet_OneNote_Delivery_vbs_Mar23.yar", "win_phorpiex_a_84fc.yar", "EXE_Virus_Neshta_March2024.yar", "meth_get_eip.yar", "DLL_Loader_Wineloader_March2024.yar", "OneNote_EmbeddedFiles_NoPictures.yar", "LimeRAT.yar", "privateloader.yar", "RaccoonV2.yar", "MALWARE_Storm0978_Underground_Ransomware_Jul23.yar", "SUS_UNC_InEmail.yar", "redline_win_generic.yar", "win_amadey_a9f4.yar", "Android_Backdoor_Xamalicious.yar", "VxLang_Packer.yar", "DLL_North_Korean_Lazarus_March2024.yar", "pe_packer_pecompact2.yar", "win_tofsee_bot.yar", "crashedtech_loader.yar", "EXE_Ransomware_Mimic.yar", "DLL_News_Penguin_Feb2024.yar", "DLL_Mustang_Panda_March2024.yar", "EXE_Stealer_Nightingale_Imphash_Jan2024.yar", "EXE_Stealer_Nightingale_Jan2024.yar", "EXE_Stealer_Planet_March2024.yar", "LNK_Dropper_Russian_APT_Feb2024.yar", "Chinese_APT_Backdoor.yar", "Guloader_VBScript.yar", "bruteratelc4.yar", "RANSOM_Lockbit_Black_Packer.yar", "SocGholish_Variant_B.yar", "DLL_RAT_WogRAT_March2024.yar", "win_matanbuchus.yar", "WIN32_MAL_TROJ_DARKME.yar", "Android_BankingTrojan_Hydra.yar", "ELF_RAT_Bifrost_March2024.yar", "EXPLOIT_WinRAR_CVE_2023_38831_Aug23.yar", "ISO_LNK_JS_CMD_DLL.yar", "win_gcleaner_de41.yar", "ItsSoEasy_Ransomware.yar", "EXE_Ransomware_Tuga_March2024.yar", "RABBITHUNT_loader.yar", "LockBit3_ransomware.yar", "Matanbuchus_MSI_2.yar", "MX_fin_custom_allakore_rat.yar", "PikaBot_Stage1_20240222.yar", "Powerpoint_Code_Execution.yar", "Qakbot_IsoCampaign.yar", "RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar", "SelfExtractingRAR.yar", "PUPPETLOADER_loader.yar", "unpacked_qbot.yar", "ELF_Backdoor_ZipLine_Feb2024.yar", "win_colibriloader.yar", "win_strelastealer.yar", "android_apk_hook.yar", "MALWARE_Storm0978_HTML_PROTHANDLER_Jul23.yar", "babuk_copycat_esxi.yar", "EXE_Ransomware_Phobos_Feb2024.yar", "elf_rekoobe_b3_06c9.yar", "RANSOM_ESXiArgs_Ransomware_Encryptor_Feb23.yar", "EXE_Trojan_RomCom_Feb2024.yar", "EXE_Unknown_Backdoor_March2024.yar", "BruteRatelConfig.yar", "GHISLER_Stealer_1.yar", "pe_no_import_table.yar", "lnk_from_chinese.yar", "Ransomware_SLug.yar", "Sus_AnyDesk_Attempts_Feb2024.yar", "SUSP_ZIP_LNK_PhishAttachment.yar", "ScareCrow_Malware.yar", "win_aurora_stealer_a_706a.yar", "tofsee_yhub.yar", "win_xfiles_stealer_a8b373fb.yar", "EXE_Stealer_RisePro_Jan2024.yar", "AppLaunch.yar", "PassProtected_ZIP_ISO_file.yar", "Win_DarkGate.yar", "LATAMHotel_Obfuscated_BAT.yar", "DLL_PyPi_Loader_Lazarus_March2024.yar", "Disable_Defender.yar", "sfx_pdb_winrar_restrict.yar", "Detect_SliverFox_String.yar", "EXE_Stealer_CryptBot_March2024.yar", "DLL_TinyTurla_PE_Properties_Feb2024.yar", "EXE_Loader_WikiLoader_Feb2024.yar", "DLL_Banking_Trojan_Chavecloak_March2024.yar", "IcedID_ISO.yar", "ELF_Implant_COATHANGER_Feb2024.yar", "malware_bumblebee_packed.yar", "LockbitBlack_Loader.yar", "Python_MasePie.yar", "MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar", "QakBot_OneNote_Loader.yar", "Old_Code__Signature_AnyDesk_Feb2024.yar", "SUSP_Doc_WordXMLRels_May22.yar", "vulnerablity_driver2_PhysicalMemory.yar", "win_colibriloader_unpacked.yar", "win_vidar_a_a901.yar", "DLL_RAT_Xeno_Feb2024.yar", "RANSOM_Magniber_LNK_Jan23.yar", "win_xwormmm_s1_6f74.yar", "WIN32_MALWR_POSSIBLE_EMOTET_07_20.yar", "AgentTesla_DIFF_Common_Strings_01.yar", "anyburn_iso_with_date.yar", "avemaria_rat_yhub.yar", "DanaBot_12_2023.yar", "detect_Redline_Stealer_V2.yar", "ELF_RANSOMWARE_BLACKCAT.yar", "DLL_Loader_BlackWood_APT_Jan2024.yar", "EXE_Stealer_WhiteSnake_Jan2024.yar", "DLL_Stealer_Ov3rStealer_Feb2024.yar", "win_modern_loader_v1_01_1edf.yar", "Icedid_Unpacked_in_Memory.yar", "meth_stackstrings.yar", "Play_Ransomware.yar", "EXE_RAT_vxRAT_March2024.yar", "EXE_Stealer_Strela_March2024.yar", "sqlcmd_loader.yar", "EXE_Stealer_Phemedrone_Feb2024.yar", "StrelaStealer.yar", "win_erbium_stealer_a1_2622.yar", "UNKNOWN_News_Penguin_Feb2024.yar", "win_amadey_bytecodes_oct_2023.yar", "APT_Bitter_PDB_Paths.yar", "binaryObfuscation.yar", "detect_RWS_pe_rule.yar", "DLL_PyPi_Comebacker_Lazarus_March2024.yar", "Erbium_Stealer_Obfuscated.yar", "ZPAQ.yar", "SUSP_HxD_Icon_Anomaly_May23_1.yar", "ItsSoEasy_Ransomware_Go_Var.yar", "ItsSoEasy_Ransomware_Py_Var.yar", "RANSOM_Magniber_ISO_Jan23.yar", "MALWARE_OneNote_Delivery_Jan23.yar", "SocGholish_Custom_Base64.yar", "SocGholish_Obfuscated.yar", "SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar", "Qakbot_WSF_loader.yar", "win_agent_tesla_ab4444e9.yar", "win_danabot_cdf38827.yar", "win_limerat_j1_00cfd931.yar", "win_lu0bot_loader_1d53.yar", "agenttesla_win_generic.yar", "APT_Bitter_Almond_RAT.yar", "unk_phishkit.yar", "cobalt_strike_tmp01925d3f.yar", "detect_Redline_Stealer.yar", "hunt_redline_stealer.yar", "RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar", "ELF_Loader_KrustyLoader_Feb2024.yar", "yarahub_win_remcos_rat_unpacked_aug_2023.yar", "EXE_Stealer_44Caliber_Feb2024.yar", "MALWARE_Emotet_OneNote_Delivery_js_Mar23.yar", "EXE_Ransomware_Nevada_Feb2024.yar", "EXE_Stealer_StealC_Feb2024.yar", "win_imminentrat_j1_7e208e97.yar", "recordbreaker_win_generic.yar", "yarahub_win_mystic_stealer_bytecodes_sep_2023.yar", "win_qakbot_malped.yar", "PaaS_SpearPhishing_Feb23.yar", "Erbium_Loader.yar", "win_Eternity.yar", "QBOT_HTMLSmuggling_a.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlobalNet", "display_name": "GlobalNet", "target": null }, { "id": "OriginLoader", "display_name": "OriginLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "Detects UPATRE", "display_name": "Detects UPATRE", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 99, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "twizz619", "id": "188477", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 241, "FileHash-SHA1": 138, "FileHash-SHA256": 181, "domain": 25, "YARA": 162, "URL": 23, "CVE": 4, "hostname": 10, "email": 4 }, "indicator_count": 788, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "770 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dotnet.is", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dotnet.is", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780245784.4226608 }