{ "type": "Domain", "indicator": "e-forwardviewupdata.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/e-forwardviewupdata.com", "alexa": "http://www.alexa.com/siteinfo/e-forwardviewupdata.com", "indicator": "e-forwardviewupdata.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3435177916, "indicator": "e-forwardviewupdata.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "68d56db8ea32a255b0de8822", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications data from telecom providers and critical infrastructure sectors. The group operates with MSS oversight and support from pseudo-private contractors, using front companies to obscure attribution. Salt Typhoon's campaigns utilize bespoke malware, living-off-the-land binaries, and stealthy router implants, with a targeting profile spanning the U.S., U.K., Taiwan, and EU. Their operations are notable for using publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.", "modified": "2025-09-25T19:09:29.549000", "created": "2025-09-25T16:28:40.891000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 387078, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bef37d948f9f130f1cbecc", "name": "Significant Risk and Proactive Defense", "description": "A comprehensive analysis reveals a substantial threat posed by domains linked to Salt Typhoon and UNC4841, likely China-associated cyberespionage actors. The investigation uncovered a larger network of domain names beyond those publicly known, indicating a pattern of long-term access and sophisticated operations. A recent breach of a U.S. telecommunications provider, discovered a year after the fact, underscores the persistent nature of these threats. Organizations potentially at risk of Chinese espionage are strongly advised to scrutinize their DNS logs for the past five years, checking for requests to listed domains, subdomains, and associated IP addresses. Ongoing monitoring and information sharing are crucial in defending against this evolving threat landscape.", "modified": "2025-09-08T15:19:36.403000", "created": "2025-09-08T15:17:17.853000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 75643, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 387080, "modified_text": "267 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dcfe617051963f6fa4a7e3", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-10-31T10:03:43.999000", "created": "2025-10-01T10:11:45.879000", "tags": [], "references": [ "Sep week4.pdf" ], "public": 1, "adversary": "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 97, "FileHash-MD5": 95, "FileHash-SHA1": 117, "FileHash-SHA256": 105, "CVE": 5, "URL": 21, "hostname": 50, "email": 2 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dae3af2eff735b92c27326", "name": "Inside Salt Typhoon: Chinas State-Corporate Advanced Persistent Threat.", "description": "A report on China\u2019s state-sponsored advanced persistent threat (APT) group Salt Typhoon, published by the International Institute for Strategic Studies (IISS), outlines its capabilities and strategy.", "modified": "2025-10-29T19:00:25.553000", "created": "2025-09-29T19:53:19.210000", "tags": [ "salt typhoon", "china", "ministry", "typhoon", "state security", "sigint", "justice", "department", "miami", "voip", "august", "known" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/" ], "public": 1, "adversary": "Known", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Telecommunications", "Telecom", "Defense", "Critical Infrastructure", "Foreign", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 36, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ca542a70d6b89d74e7610c", "name": "aasdd", "description": "The following is a full list of up-to-dateupdata, which has been compiled by the British Library and the Association of Chartered Surveyors (BSPs) for the past 20 years.", "modified": "2025-10-17T06:04:52.323000", "created": "2025-09-17T06:24:42.069000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "domain": 45, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c990a9255b06d5e0a85", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:09.365000", "created": "2025-09-29T06:52:09.365000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c9804b67e35d4e82fc0", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:08.360000", "created": "2025-09-29T06:52:08.360000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c8eb85bd3f8ae4b647c", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:51:58.340000", "created": "2025-09-29T06:51:58.340000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d63d2a6c32057604d3d1b3", "name": "IOC - Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-26T07:13:46.453000", "created": "2025-09-26T07:13:46.453000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c25b29cb401c32731b9035", "name": "\"Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data \"", "description": "", "modified": "2025-09-11T05:16:25.087000", "created": "2025-09-11T05:16:25.087000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": "68bef37d948f9f130f1cbecc", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 282, "modified_text": "265 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626b841d90a3f0ddf7b6e4b8", "name": "NewDom-1-20220429", "description": "ICANN-Dom", "modified": "2022-06-13T00:00:32.864000", "created": "2022-04-29T06:22:21.916000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 203, "modified_text": "1451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "Sep week4.pdf", "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/", "Sep week2.pdf", "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat", "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "related": { "alienvault": { "adversary": [ "GhostEmperor", "Salt Typhoon, UNC4841" ], "malware_families": [], "industries": [ "Telecommunications", "Defense", "Energy", "Government" ] }, "other": { "adversary": [ "Salt Typhoon, UNC4841", "Salt Typhoon", "Known", "Multiple", "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign" ], "malware_families": [], "industries": [ "Telecommunications", "Energy", "Government", "Telecom", "Defense", "Military", "Critical infrastructure", "Foreign" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "68d56db8ea32a255b0de8822", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications data from telecom providers and critical infrastructure sectors. The group operates with MSS oversight and support from pseudo-private contractors, using front companies to obscure attribution. Salt Typhoon's campaigns utilize bespoke malware, living-off-the-land binaries, and stealthy router implants, with a targeting profile spanning the U.S., U.K., Taiwan, and EU. Their operations are notable for using publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.", "modified": "2025-09-25T19:09:29.549000", "created": "2025-09-25T16:28:40.891000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 387078, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bef37d948f9f130f1cbecc", "name": "Significant Risk and Proactive Defense", "description": "A comprehensive analysis reveals a substantial threat posed by domains linked to Salt Typhoon and UNC4841, likely China-associated cyberespionage actors. The investigation uncovered a larger network of domain names beyond those publicly known, indicating a pattern of long-term access and sophisticated operations. A recent breach of a U.S. telecommunications provider, discovered a year after the fact, underscores the persistent nature of these threats. Organizations potentially at risk of Chinese espionage are strongly advised to scrutinize their DNS logs for the past five years, checking for requests to listed domains, subdomains, and associated IP addresses. Ongoing monitoring and information sharing are crucial in defending against this evolving threat landscape.", "modified": "2025-09-08T15:19:36.403000", "created": "2025-09-08T15:17:17.853000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 75643, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 387080, "modified_text": "267 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dcfe617051963f6fa4a7e3", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-10-31T10:03:43.999000", "created": "2025-10-01T10:11:45.879000", "tags": [], "references": [ "Sep week4.pdf" ], "public": 1, "adversary": "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 97, "FileHash-MD5": 95, "FileHash-SHA1": 117, "FileHash-SHA256": 105, "CVE": 5, "URL": 21, "hostname": 50, "email": 2 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "215 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dae3af2eff735b92c27326", "name": "Inside Salt Typhoon: Chinas State-Corporate Advanced Persistent Threat.", "description": "A report on China\u2019s state-sponsored advanced persistent threat (APT) group Salt Typhoon, published by the International Institute for Strategic Studies (IISS), outlines its capabilities and strategy.", "modified": "2025-10-29T19:00:25.553000", "created": "2025-09-29T19:53:19.210000", "tags": [ "salt typhoon", "china", "ministry", "typhoon", "state security", "sigint", "justice", "department", "miami", "voip", "august", "known" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/" ], "public": 1, "adversary": "Known", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Telecommunications", "Telecom", "Defense", "Critical Infrastructure", "Foreign", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 36, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ca542a70d6b89d74e7610c", "name": "aasdd", "description": "The following is a full list of up-to-dateupdata, which has been compiled by the British Library and the Association of Chartered Surveyors (BSPs) for the past 20 years.", "modified": "2025-10-17T06:04:52.323000", "created": "2025-09-17T06:24:42.069000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "domain": 45, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c990a9255b06d5e0a85", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:09.365000", "created": "2025-09-29T06:52:09.365000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c9804b67e35d4e82fc0", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:08.360000", "created": "2025-09-29T06:52:08.360000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c8eb85bd3f8ae4b647c", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:51:58.340000", "created": "2025-09-29T06:51:58.340000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "247 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d63d2a6c32057604d3d1b3", "name": "IOC - Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-26T07:13:46.453000", "created": "2025-09-26T07:13:46.453000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "e-forwardviewupdata.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "e-forwardviewupdata.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780487457.2762814 }