{ "type": "Domain", "indicator": "echidns.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/echidns.com", "alexa": "http://www.alexa.com/siteinfo/echidns.com", "indicator": "echidns.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4164185124, "indicator": "echidns.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6942be15df5bec2ffa9b395d", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "Parked domains are increasingly being weaponized through direct search advertising, posing significant risks to users. The investigation found that over 90% of visits to parked domains led to scams, malware, or unwanted content. Three key actors were identified: one using lookalike domains and mail collection, another employing sophisticated 'double fast flux' techniques, and a third exploiting DNS configuration typos. These actors actively profile visitors and selectively redirect traffic to malicious advertisers. The complexity of the advertising ecosystem makes it difficult to trace the origin of threats. Recent policy changes and the rise of AI may inadvertently increase risks associated with parked domains.", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-17T14:28:37.531000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386497, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6943093f9e1868b5bdcfaa28", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "Infoblox provides a comprehensive guide to the company's products, services and solutions for customers, companies, and other industry sectors, as well as offering a range of other products and services to customers.", "modified": "2026-01-16T19:01:44.223000", "created": "2025-12-17T19:49:19.898000", "tags": [ "strong", "november", "october", "december", "july", "august", "september", "june", "january", "march", "february", "april", "cloud", "service", "protect", "contact", "tools", "speed", "click", "trinity", "cyber", "model", "direct", "premium", "screen", "suspicious", "tedy", "date", "fast", "tech", "vpn", "babar" ], "references": [ "https://www.infoblox.com/blog/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/" ], "public": 1, "adversary": "Trinity", "targeted_countries": [], "malware_families": [ { "id": "VPN", "display_name": "VPN", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Tedy", "display_name": "Tedy", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Gaming" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 31, "email": 1, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69439339ca1e578651edf00a", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-18T05:38:01.875000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "6942be15df5bec2ffa9b395d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69523e425c830cff165e1d2a", "name": "IOC - Parked Domains Become Weapons with Direct Search Advertising", "description": "", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-29T08:39:30.344000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "6942be15df5bec2ffa9b395d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book2.csv", "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising", "https://www.infoblox.com/blog/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Babar", "Tedy" ], "industries": [] }, "other": { "adversary": [ "Trinity", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [ "Vpn", "Babar", "Tedy" ], "industries": [ "Gaming" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6942be15df5bec2ffa9b395d", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "Parked domains are increasingly being weaponized through direct search advertising, posing significant risks to users. The investigation found that over 90% of visits to parked domains led to scams, malware, or unwanted content. Three key actors were identified: one using lookalike domains and mail collection, another employing sophisticated 'double fast flux' techniques, and a third exploiting DNS configuration typos. These actors actively profile visitors and selectively redirect traffic to malicious advertisers. The complexity of the advertising ecosystem makes it difficult to trace the origin of threats. Recent policy changes and the rise of AI may inadvertently increase risks associated with parked domains.", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-17T14:28:37.531000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386497, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6943093f9e1868b5bdcfaa28", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "Infoblox provides a comprehensive guide to the company's products, services and solutions for customers, companies, and other industry sectors, as well as offering a range of other products and services to customers.", "modified": "2026-01-16T19:01:44.223000", "created": "2025-12-17T19:49:19.898000", "tags": [ "strong", "november", "october", "december", "july", "august", "september", "june", "january", "march", "february", "april", "cloud", "service", "protect", "contact", "tools", "speed", "click", "trinity", "cyber", "model", "direct", "premium", "screen", "suspicious", "tedy", "date", "fast", "tech", "vpn", "babar" ], "references": [ "https://www.infoblox.com/blog/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising/" ], "public": 1, "adversary": "Trinity", "targeted_countries": [], "malware_families": [ { "id": "VPN", "display_name": "VPN", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Tedy", "display_name": "Tedy", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Gaming" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 31, "email": 1, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69439339ca1e578651edf00a", "name": "Parked Domains Become Weapons with Direct Search Advertising", "description": "", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-18T05:38:01.875000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "6942be15df5bec2ffa9b395d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69523e425c830cff165e1d2a", "name": "IOC - Parked Domains Become Weapons with Direct Search Advertising", "description": "", "modified": "2026-01-16T14:00:22.030000", "created": "2025-12-29T08:39:30.344000", "tags": [ "typosquatting", "domain parking", "traffic distribution systems", "fast flux", "dns abuse", "babar", "malvertising", "parked domains", "direct search advertising", "tedy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/parked-domains-become-weapons-with-direct-search-advertising" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Tedy", "display_name": "Tedy", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "6942be15df5bec2ffa9b395d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 14, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "echidns.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "echidns.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214628.0865605 }