{ "type": "Domain", "indicator": "driftlance.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/driftlance.org", "alexa": "http://www.alexa.com/siteinfo/driftlance.org", "indicator": "driftlance.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4129834273, "indicator": "driftlance.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9b122cb4afc654b640d6a", "name": "IOC - Breakingdown of Patchwork APT", "description": "Patchwork APT, also known as Dropping Elephant, Monsoon, and Hangover Group, has been active since at least 2015. This threat actor primarily focuses on gathering political and military intelligence, targeting organizations across South and Southeast Asia. Patchwork is recognized for its persistence and adaptability, often reusing and modifying existing tools rather than developing its own exploits. Despite this, the group has achieved significant success by leveraging effective social engineering tactics, customized lures, and multi-layered obfuscation techniques in their operations.", "modified": "2025-10-11T01:21:38.512000", "created": "2025-10-11T01:21:38.512000", "tags": [ "trojan" ], "references": [ "https://labs.k7computing.com/index.php/breakingdown-of-patchwork-apt/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "233 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e58379069a4012105d82ab", "name": "Patchwork APT: Fake VLC and MSIL Backdoor Enable Stealthy Espionage in South Asia", "description": "", "modified": "2025-10-07T21:17:45.304000", "created": "2025-10-07T21:17:45.304000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc3f367fda777968bb0488", "name": "Breakingdown of Patchwork APT", "description": "Patchwork APT, also referred to as Dropping Elephant, Monsoon, and Hangover Group, has been operational since at least 2015 with a primary focus on collecting political and military intelligence. This threat actor directs its efforts toward organizations in South and Southeast Asia, emphasizing its strategic targeting of critical sectors. A key characteristic of Patchwork APT is its persistence and adaptiveness; instead of creating new exploits, it often reuses and modifies existing malware and tools. This approach allows the group to operationalize threats more efficiently.", "modified": "2025-09-30T20:36:06.470000", "created": "2025-09-30T20:36:06.470000", "tags": [ "c2 server", "post payload", "post request", "webclient", "protean method", "patchwork apt", "monsoon", "hangover group", "south", "southeast asia", "powershell", "mimic", "charm", "urlencoded", "trojan", "post", "protean" ], "references": [ "https://labs.k7computing.com/index.php/breakingdown-of-patchwork-apt/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Protean", "display_name": "Protean", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [ "Political", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "243 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs_Oct week-1.pdf", "https://labs.k7computing.com/index.php/breakingdown-of-patchwork-apt/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple APT/Malware" ], "malware_families": [ "Protean" ], "industries": [ "Military", "Political" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e9b122cb4afc654b640d6a", "name": "IOC - Breakingdown of Patchwork APT", "description": "Patchwork APT, also known as Dropping Elephant, Monsoon, and Hangover Group, has been active since at least 2015. This threat actor primarily focuses on gathering political and military intelligence, targeting organizations across South and Southeast Asia. Patchwork is recognized for its persistence and adaptability, often reusing and modifying existing tools rather than developing its own exploits. Despite this, the group has achieved significant success by leveraging effective social engineering tactics, customized lures, and multi-layered obfuscation techniques in their operations.", "modified": "2025-10-11T01:21:38.512000", "created": "2025-10-11T01:21:38.512000", "tags": [ "trojan" ], "references": [ "https://labs.k7computing.com/index.php/breakingdown-of-patchwork-apt/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "233 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e58379069a4012105d82ab", "name": "Patchwork APT: Fake VLC and MSIL Backdoor Enable Stealthy Espionage in South Asia", "description": "", "modified": "2025-10-07T21:17:45.304000", "created": "2025-10-07T21:17:45.304000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc3f367fda777968bb0488", "name": "Breakingdown of Patchwork APT", "description": "Patchwork APT, also referred to as Dropping Elephant, Monsoon, and Hangover Group, has been operational since at least 2015 with a primary focus on collecting political and military intelligence. This threat actor directs its efforts toward organizations in South and Southeast Asia, emphasizing its strategic targeting of critical sectors. A key characteristic of Patchwork APT is its persistence and adaptiveness; instead of creating new exploits, it often reuses and modifies existing malware and tools. This approach allows the group to operationalize threats more efficiently.", "modified": "2025-09-30T20:36:06.470000", "created": "2025-09-30T20:36:06.470000", "tags": [ "c2 server", "post payload", "post request", "webclient", "protean method", "patchwork apt", "monsoon", "hangover group", "south", "southeast asia", "powershell", "mimic", "charm", "urlencoded", "trojan", "post", "protean" ], "references": [ "https://labs.k7computing.com/index.php/breakingdown-of-patchwork-apt/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Protean", "display_name": "Protean", "target": null } ], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [ "Political", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "243 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "driftlance.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "driftlance.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780326789.9532406 }