{ "type": "Domain", "indicator": "duelbits-cdn.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/duelbits-cdn.com", "alexa": "http://www.alexa.com/siteinfo/duelbits-cdn.com", "indicator": "duelbits-cdn.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4056049329, "indicator": "duelbits-cdn.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67f62708c6faf0ab4e24f6d4", "name": "Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-09T07:51:36.790000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386549, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "275 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68678d076be34e0dd9d9a6fd", "name": "GC Scattered Spider Targeting Multi Sectors", "description": "The following is a full list of malicious domain names: \u00c2\u00a31.5m, \u00a31bn, \u00e2\u201a\u00ac2.3m..7m", "modified": "2025-08-03T08:01:56.508000", "created": "2025-07-04T08:12:55.944000", "tags": [ "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dario.guerreiro", "id": "155493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808456074f76f5b134bac73", "name": "Scattered Spider: Persistent Threat Actor Targets Major Brands in 2025", "description": "The Scattered Spider hacker collective continues to pose a significant threat in 2025, targeting major brands such as Klaviyo, HubSpot, and Pure Storage. Silent Push researchers have identified five unique phishing kits used by Scattered Spider, with updates to their tactics, techniques, and procedures (TTPs). Notably, the group has deployed a new version of Spectre RAT to gain persistent access to compromised systems.", "modified": "2025-05-23T01:05:36.873000", "created": "2025-04-23T01:41:52.223000", "tags": [ "spider", "spectre rat", "silent push", "bitlaunch", "push", "okta", "snowflake", "bitcoin", "kraken", "trojan", "elijah", "u.s. threat", "spectre" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/" ], "public": 1, "adversary": "Elijah", "targeted_countries": [], "malware_families": [ { "id": "U.S. Threat", "display_name": "U.S. Threat", "target": null }, { "id": "Spectre", "display_name": "Spectre", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "hostname": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f7813ad4864d50644332e8", "name": "IOC&TTP - Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider \u662f\u4e00\u4e2a\u81ea 2022 \u5e74\u4ee5\u6765\u6d3b\u8dc3\u7684\u653b\u51fb\u56e2\u4f53\uff0c\u4ee5\u9ad8\u6c34\u5e73\u7684\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\u8457\u79f0 \u3002\u4ed6\u4eec\u5728 2025 \u5e74\u6301\u7eed\u6269\u5f20\u76ee\u6807\u8303\u56f4\uff0c\u4ece\u91d1\u878d\u3001\u4e91\u5b58\u50a8\u5230\u96f6\u552e\u3001\u793e\u4ea4\u5e73\u53f0\u4e0e\u8425\u9500\u5de5\u5177\u7b49\u591a\u4e2a\u884c\u4e1a\u3002\n\u5c3d\u7ba1 2024 \u5e74\u591a\u540d\u7591\u4f3c\u6210\u5458\u88ab\u6355\uff0c\u4f46 Scattered Spider \u5e76\u672a\u56e0\u6b64\u505c\u6b47\uff0c\u5728 2025 \u5e74\u6301\u7eed\u6295\u5165\u65b0\u7684\u6280\u672f\u4e0e\u5de5\u5177\u6765\u8fdb\u884c\u7a83\u53d6\u51ed\u636e\u3001\u6269\u5927\u653b\u51fb\u8303\u56f4\u3001\u6df7\u6dc6\u57fa\u7840\u67b6\u6784\u7b49\u884c\u52a8\u3002\u4f01\u4e1a\u6216\u7ec4\u7ec7\u9700\u8981\u9488\u5bf9\u5176\u52a8\u6001\u6ce8\u518c\u57df\u540d\u3001\u9493\u9c7c\u5957\u4ef6\u4e0e RAT \u5bb6\u65cf\u6d3b\u52a8\u91c7\u53d6\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-10T08:28:42.480000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": "67f62708c6faf0ab4e24f6d4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/", "https://www.silentpush.com/blog/scattered-spider-2025", "Julypt1.pdf" ], "related": { "alienvault": { "adversary": [ "Scattered Spider" ], "malware_families": [ "Spectre rat" ], "industries": [ "Technology", "Healthcare", "Retail", "Finance", "Telecommunications" ] }, "other": { "adversary": [ "Multiple", "Scattered Spider", "Elijah" ], "malware_families": [ "Spectre rat", "Spectre", "U.s. threat" ], "industries": [ "Technology", "Healthcare", "Retail", "Finance", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67f62708c6faf0ab4e24f6d4", "name": "Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-09T07:51:36.790000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386549, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "275 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68678d076be34e0dd9d9a6fd", "name": "GC Scattered Spider Targeting Multi Sectors", "description": "The following is a full list of malicious domain names: \u00c2\u00a31.5m, \u00a31bn, \u00e2\u201a\u00ac2.3m..7m", "modified": "2025-08-03T08:01:56.508000", "created": "2025-07-04T08:12:55.944000", "tags": [ "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dario.guerreiro", "id": "155493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808456074f76f5b134bac73", "name": "Scattered Spider: Persistent Threat Actor Targets Major Brands in 2025", "description": "The Scattered Spider hacker collective continues to pose a significant threat in 2025, targeting major brands such as Klaviyo, HubSpot, and Pure Storage. Silent Push researchers have identified five unique phishing kits used by Scattered Spider, with updates to their tactics, techniques, and procedures (TTPs). Notably, the group has deployed a new version of Spectre RAT to gain persistent access to compromised systems.", "modified": "2025-05-23T01:05:36.873000", "created": "2025-04-23T01:41:52.223000", "tags": [ "spider", "spectre rat", "silent push", "bitlaunch", "push", "okta", "snowflake", "bitcoin", "kraken", "trojan", "elijah", "u.s. threat", "spectre" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/" ], "public": 1, "adversary": "Elijah", "targeted_countries": [], "malware_families": [ { "id": "U.S. Threat", "display_name": "U.S. Threat", "target": null }, { "id": "Spectre", "display_name": "Spectre", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "hostname": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f7813ad4864d50644332e8", "name": "IOC&TTP - Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider \u662f\u4e00\u4e2a\u81ea 2022 \u5e74\u4ee5\u6765\u6d3b\u8dc3\u7684\u653b\u51fb\u56e2\u4f53\uff0c\u4ee5\u9ad8\u6c34\u5e73\u7684\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\u8457\u79f0 \u3002\u4ed6\u4eec\u5728 2025 \u5e74\u6301\u7eed\u6269\u5f20\u76ee\u6807\u8303\u56f4\uff0c\u4ece\u91d1\u878d\u3001\u4e91\u5b58\u50a8\u5230\u96f6\u552e\u3001\u793e\u4ea4\u5e73\u53f0\u4e0e\u8425\u9500\u5de5\u5177\u7b49\u591a\u4e2a\u884c\u4e1a\u3002\n\u5c3d\u7ba1 2024 \u5e74\u591a\u540d\u7591\u4f3c\u6210\u5458\u88ab\u6355\uff0c\u4f46 Scattered Spider \u5e76\u672a\u56e0\u6b64\u505c\u6b47\uff0c\u5728 2025 \u5e74\u6301\u7eed\u6295\u5165\u65b0\u7684\u6280\u672f\u4e0e\u5de5\u5177\u6765\u8fdb\u884c\u7a83\u53d6\u51ed\u636e\u3001\u6269\u5927\u653b\u51fb\u8303\u56f4\u3001\u6df7\u6dc6\u57fa\u7840\u67b6\u6784\u7b49\u884c\u52a8\u3002\u4f01\u4e1a\u6216\u7ec4\u7ec7\u9700\u8981\u9488\u5bf9\u5176\u52a8\u6001\u6ce8\u518c\u57df\u540d\u3001\u9493\u9c7c\u5957\u4ef6\u4e0e RAT \u5bb6\u65cf\u6d3b\u52a8\u91c7\u53d6\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-10T08:28:42.480000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": "67f62708c6faf0ab4e24f6d4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "duelbits-cdn.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "duelbits-cdn.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242155.7465997 }