{ "type": "Domain", "indicator": "drsync.click", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/drsync.click", "alexa": "http://www.alexa.com/siteinfo/drsync.click", "indicator": "drsync.click", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4081487790, "indicator": "drsync.click", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "68639744272b5a4d16c46166", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader", "description": "This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similarities in infrastructure, delivery tactics, and lure themes, raising questions about their relationship. Four hypotheses are presented regarding their potential connection, ranging from shared third-party services to being the same actor. The report highlights the increasing overlap between cybercrime and espionage activities, making attribution more challenging in the current threat landscape.", "modified": "2025-07-01T08:09:37.616000", "created": "2025-07-01T08:07:32.903000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 386760, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68660d05b657f67ed01a1472", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader", "description": "", "modified": "2025-07-03T04:54:29.945000", "created": "2025-07-03T04:54:29.945000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": "68639744272b5a4d16c46166", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686493f010c30085b34ccfe6", "name": "IOC&TTP - 10 Things I Hate About Attribution RomCom vs. TransferLoader", "description": "\u672c\u62a5\u544a\u5206\u6790\u4e86\u4e24\u4e2a\u5a01\u80c1\u6d3b\u52a8\u96c6\u7fa4\uff1aTA829\uff08RomCom) \u548c UNK_GreenSec\uff08TransferLoader\uff09\uff0c\u5b83\u4eec\u5177\u6709\u9ad8\u5ea6\u76f8\u4f3c\u7684\u6218\u672f\u3001\u6280\u672f\u548c\u7a0b\u5e8f\uff08TTPs\uff09\u3001\u57fa\u7840\u8bbe\u65bd\u548c\u90ae\u4ef6\u8bf1\u9975\u7b56\u7565\uff0c\u4f46\u5176\u5f52\u5c5e\u5c1a\u4e0d\u660e\u786e\u3002TA829\u662f\u4e00\u4e2a\u5177\u6709\u91d1\u878d\u52a8\u673a\u5e76\u6d89\u53ca\u95f4\u8c0d\u6d3b\u52a8\u7684\u884c\u4e3a\u8005\uff0c\u53ef\u80fd\u4e0e\u4fc4\u7f57\u65af\u6709\u5173\uff1b\u800cUNK_GreenSec\u662f\u4e00\u4e2a\u53ef\u80fd\u76f8\u4e92\u5173\u8054\u4f46\u66f4\u503e\u5411\u4e8e\u7eaf\u7cb9\u7f51\u7edc\u72af\u7f6a\u7684\u96c6\u7fa4\u3002\u4e24\u8005\u5747\u4f7f\u7528\u5fae\u578b\u8def\u7531\u5668\u4ee3\u7406\uff08REM Proxy\uff09\u548c\u518d\u5b9a\u5411\u94fe\uff0c\u5728\u9493\u9c7c\u90ae\u4ef6\u4e2d\u4f7f\u7528\u7b80\u5386/\u6295\u8bc9\u7b49\u4e3b\u9898\uff0c\u90e8\u7f72\u5404\u81ea\u72ec\u7acb\u7684\u6076\u610f\u7a0b\u5e8f\uff08RomCom\u5bb6\u65cf\u5de5\u5177\u94fe\u4e0eTransferLoader\uff09\u3002\u62a5\u544a\u4e5f\u63d0\u51fa\u4e86\u56db\u79cd\u53ef\u80fd\u7684\u5f52\u5c5e\u5047\u8bbe\uff0c\u4f53\u73b0\u4e86\u7f51\u7edc\u5a01\u80c1\u751f\u6001\u7cfb\u7edf\u4e2d\u7f51\u7edc\u72af\u7f6a\u4e0e\u95f4\u8c0d\u6d3b\u52a8\u7684\u878d\u5408\u8d8b\u52bf\u3002", "modified": "2025-07-02T02:05:46.780000", "created": "2025-07-02T02:05:36.582000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": "68639744272b5a4d16c46166", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "334 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686457bec73826e391598c91", "name": "xxxxxxx", "description": "", "modified": "2025-07-01T21:48:46.460000", "created": "2025-07-01T21:48:46.460000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 59, "hostname": 1 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863ca1f92e3d9b7fc2c3b03", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US", "description": "", "modified": "2025-07-01T11:44:31.683000", "created": "2025-07-01T11:44:31.683000", "tags": [ "ta829", "unkgreensec", "transferloader", "proofpoint", "dustyhammock", "singlecamper", "rem proxy", "ttps", "dlls", "february", "ukraine", "rust", "meltingclaw", "window", "april", "shadyhammock", "august", "metasploit", "june", "morpheus", "hellcat", "danabot", "sunseed" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 107, "hostname": 2 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader", "Aug-Week2.pdf" ], "related": { "alienvault": { "adversary": [ "TA829" ], "malware_families": [ "Shadyhammock", "Slipscreen", "Dustyhammock", "Hellcat", "Singlecamper", "Morpheus", "Rustyclaw", "Meltingclaw", "Transferloader" ], "industries": [ "Defense" ] }, "other": { "adversary": [ "TA829" ], "malware_families": [ "Shadyhammock", "Slipscreen", "Dustyhammock", "Hellcat", "Singlecamper", "Morpheus", "Rustyclaw", "Meltingclaw", "Transferloader" ], "industries": [ "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "68639744272b5a4d16c46166", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader", "description": "This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similarities in infrastructure, delivery tactics, and lure themes, raising questions about their relationship. Four hypotheses are presented regarding their potential connection, ranging from shared third-party services to being the same actor. The report highlights the increasing overlap between cybercrime and espionage activities, making attribution more challenging in the current threat landscape.", "modified": "2025-07-01T08:09:37.616000", "created": "2025-07-01T08:07:32.903000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 386760, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68660d05b657f67ed01a1472", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader", "description": "", "modified": "2025-07-03T04:54:29.945000", "created": "2025-07-03T04:54:29.945000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": "68639744272b5a4d16c46166", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "333 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686493f010c30085b34ccfe6", "name": "IOC&TTP - 10 Things I Hate About Attribution RomCom vs. TransferLoader", "description": "\u672c\u62a5\u544a\u5206\u6790\u4e86\u4e24\u4e2a\u5a01\u80c1\u6d3b\u52a8\u96c6\u7fa4\uff1aTA829\uff08RomCom) \u548c UNK_GreenSec\uff08TransferLoader\uff09\uff0c\u5b83\u4eec\u5177\u6709\u9ad8\u5ea6\u76f8\u4f3c\u7684\u6218\u672f\u3001\u6280\u672f\u548c\u7a0b\u5e8f\uff08TTPs\uff09\u3001\u57fa\u7840\u8bbe\u65bd\u548c\u90ae\u4ef6\u8bf1\u9975\u7b56\u7565\uff0c\u4f46\u5176\u5f52\u5c5e\u5c1a\u4e0d\u660e\u786e\u3002TA829\u662f\u4e00\u4e2a\u5177\u6709\u91d1\u878d\u52a8\u673a\u5e76\u6d89\u53ca\u95f4\u8c0d\u6d3b\u52a8\u7684\u884c\u4e3a\u8005\uff0c\u53ef\u80fd\u4e0e\u4fc4\u7f57\u65af\u6709\u5173\uff1b\u800cUNK_GreenSec\u662f\u4e00\u4e2a\u53ef\u80fd\u76f8\u4e92\u5173\u8054\u4f46\u66f4\u503e\u5411\u4e8e\u7eaf\u7cb9\u7f51\u7edc\u72af\u7f6a\u7684\u96c6\u7fa4\u3002\u4e24\u8005\u5747\u4f7f\u7528\u5fae\u578b\u8def\u7531\u5668\u4ee3\u7406\uff08REM Proxy\uff09\u548c\u518d\u5b9a\u5411\u94fe\uff0c\u5728\u9493\u9c7c\u90ae\u4ef6\u4e2d\u4f7f\u7528\u7b80\u5386/\u6295\u8bc9\u7b49\u4e3b\u9898\uff0c\u90e8\u7f72\u5404\u81ea\u72ec\u7acb\u7684\u6076\u610f\u7a0b\u5e8f\uff08RomCom\u5bb6\u65cf\u5de5\u5177\u94fe\u4e0eTransferLoader\uff09\u3002\u62a5\u544a\u4e5f\u63d0\u51fa\u4e86\u56db\u79cd\u53ef\u80fd\u7684\u5f52\u5c5e\u5047\u8bbe\uff0c\u4f53\u73b0\u4e86\u7f51\u7edc\u5a01\u80c1\u751f\u6001\u7cfb\u7edf\u4e2d\u7f51\u7edc\u72af\u7f6a\u4e0e\u95f4\u8c0d\u6d3b\u52a8\u7684\u878d\u5408\u8d8b\u52bf\u3002", "modified": "2025-07-02T02:05:46.780000", "created": "2025-07-02T02:05:36.582000", "tags": [ "transferloader", "singlecamper", "slipscreen", "ransomware", "hellcat", "dustyhammock", "morpheus", "meltingclaw", "romcom", "shadyhammock", "rustyclaw" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "TA829", "targeted_countries": [ "Ukraine", "United States of America" ], "malware_families": [ { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "SlipScreen", "display_name": "SlipScreen", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "Morpheus", "display_name": "Morpheus", "target": null }, { "id": "HellCat", "display_name": "HellCat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Defense" ], "TLP": "white", "cloned_from": "68639744272b5a4d16c46166", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 92, "hostname": 1 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "334 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686457bec73826e391598c91", "name": "xxxxxxx", "description": "", "modified": "2025-07-01T21:48:46.460000", "created": "2025-07-01T21:48:46.460000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 59, "hostname": 1 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6863ca1f92e3d9b7fc2c3b03", "name": "10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US", "description": "", "modified": "2025-07-01T11:44:31.683000", "created": "2025-07-01T11:44:31.683000", "tags": [ "ta829", "unkgreensec", "transferloader", "proofpoint", "dustyhammock", "singlecamper", "rem proxy", "ttps", "dlls", "february", "ukraine", "rust", "meltingclaw", "window", "april", "shadyhammock", "august", "metasploit", "june", "morpheus", "hellcat", "danabot", "sunseed" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 10, "FileHash-SHA256": 14, "domain": 107, "hostname": 2 }, "indicator_count": 136, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "335 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "drsync.click", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "drsync.click", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351864.7651927 }