{ "type": "Domain", "indicator": "ecomicrolab.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ecomicrolab.com", "alexa": "http://www.alexa.com/siteinfo/ecomicrolab.com", "indicator": "ecomicrolab.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4076978654, "indicator": "ecomicrolab.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e7758b5be3ab5466a02275", "name": "IOC - Detour Dog: DNS Malware Powers Strela Stealer Campaigns", "description": "Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog.", "modified": "2025-10-09T08:42:51.157000", "created": "2025-10-09T08:42:51.157000", "tags": [], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6221ba135c0619e72e3b7", "name": "assdfghg", "description": "", "modified": "2025-10-08T08:34:35.628000", "created": "2025-10-08T08:34:35.628000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "235 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e4112622320beb71316b4a", "name": "Detour Dog Caught Operating DNS- Based Malware Attacks to Distribute Strela Stealer", "description": "", "modified": "2025-10-06T18:57:42.852000", "created": "2025-10-06T18:57:42.852000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6858f83ff378367cd4583ae8", "name": "What is the Real Relationship between WordPress Hackers and Malicious Adtech?", "description": "", "modified": "2025-07-23T06:05:02.924000", "created": "2025-06-23T06:46:23.796000", "tags": [ "vextrio", "help tds", "november", "tdss", "los pollos", "dns txt", "august", "december", "strong", "june", "april", "february", "cloud", "keitaro", "contact", "tools", "speed", "protect", "service", "evolution", "android", "virustotal", "clearfake", "telegram", "push", "cloudy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "alan.chan", "id": "342886", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 3, "domain": 41, "hostname": 45 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6855fa94d903e0d52e33a387", "name": "URLHaus data - 20-06-2025", "description": "", "modified": "2025-07-21T00:04:47.952000", "created": "2025-06-21T00:19:32.796000", "tags": [ "elf", "mirai", "ua-wget", "censys", "CobaltStrike", "hajime", "backdoor", "sshdkit", "js", "StrelaStealer", "SVG", "c2-monitor-auto", "dropped-by-amadey", "lnk", "opendir", "bat", "wsf", "zip", "vbs", "BABADEDA", "sh", "base64-loader", "gafgyt", "CoinMiner", "py", "RemcosRAT", "connectwise", "LummaStealer", "geofenced", "malware", "TUR", "turkey", "fake-captcha" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 381, "domain": 160, "hostname": 60 }, "indicator_count": 601, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685566319da2b4af8e21b8b1", "name": "What is the Real Relationship between WordPress Hackers and Malicious Adtech?", "description": "Infoblox offers a comprehensive guide to key market solutions, as well as product reviews and product previews, for sale on the web, at www.infobox. \u00c2\u00a31.", "modified": "2025-07-20T13:04:56.925000", "created": "2025-06-20T13:46:25.849000", "tags": [ "vextrio", "help tds", "november", "tdss", "los pollos", "dns txt", "august", "december", "strong", "june", "april", "february", "cloud", "keitaro", "contact", "tools", "speed", "protect", "service", "evolution", "android", "virustotal", "clearfake", "telegram", "push", "cloudy", "cyber", "txt record", "tds", "operators", "disposable tds", "dollyway", "wordpress" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" ], "public": 1, "adversary": "Cyber", "targeted_countries": [], "malware_families": [ { "id": "TXT Record", "display_name": "TXT Record", "target": null }, { "id": "TDS", "display_name": "TDS", "target": null }, { "id": "Operators", "display_name": "Operators", "target": null }, { "id": "Disposable TDS", "display_name": "Disposable TDS", "target": null }, { "id": "DollyWay", "display_name": "DollyWay", "target": null }, { "id": "WordPress", "display_name": "WordPress", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 3, "domain": 41, "hostname": 45 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/", "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/", "IOCs_Oct week-1.pdf", "https://urlhaus.abuse.ch/browse/", "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Cyber", "Hive0145", "Multiple APT/Malware" ], "malware_families": [ "Skuld", "Remote access", "Wordpress", "Golo", "Mikrotik", "Txt record", "Tds", "Javascript", "Dollyway", "Second", "Strela", "Shadowpad", "Disposable tds", "Starfish", "Operators" ], "industries": [ "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e7758b5be3ab5466a02275", "name": "IOC - Detour Dog: DNS Malware Powers Strela Stealer Campaigns", "description": "Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog.", "modified": "2025-10-09T08:42:51.157000", "created": "2025-10-09T08:42:51.157000", "tags": [], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6221ba135c0619e72e3b7", "name": "assdfghg", "description": "", "modified": "2025-10-08T08:34:35.628000", "created": "2025-10-08T08:34:35.628000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "235 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e4112622320beb71316b4a", "name": "Detour Dog Caught Operating DNS- Based Malware Attacks to Distribute Strela Stealer", "description": "", "modified": "2025-10-06T18:57:42.852000", "created": "2025-10-06T18:57:42.852000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6858f83ff378367cd4583ae8", "name": "What is the Real Relationship between WordPress Hackers and Malicious Adtech?", "description": "", "modified": "2025-07-23T06:05:02.924000", "created": "2025-06-23T06:46:23.796000", "tags": [ "vextrio", "help tds", "november", "tdss", "los pollos", "dns txt", "august", "december", "strong", "june", "april", "february", "cloud", "keitaro", "contact", "tools", "speed", "protect", "service", "evolution", "android", "virustotal", "clearfake", "telegram", "push", "cloudy" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "alan.chan", "id": "342886", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 3, "domain": 41, "hostname": 45 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "312 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6855fa94d903e0d52e33a387", "name": "URLHaus data - 20-06-2025", "description": "", "modified": "2025-07-21T00:04:47.952000", "created": "2025-06-21T00:19:32.796000", "tags": [ "elf", "mirai", "ua-wget", "censys", "CobaltStrike", "hajime", "backdoor", "sshdkit", "js", "StrelaStealer", "SVG", "c2-monitor-auto", "dropped-by-amadey", "lnk", "opendir", "bat", "wsf", "zip", "vbs", "BABADEDA", "sh", "base64-loader", "gafgyt", "CoinMiner", "py", "RemcosRAT", "connectwise", "LummaStealer", "geofenced", "malware", "TUR", "turkey", "fake-captcha" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 381, "domain": 160, "hostname": 60 }, "indicator_count": 601, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685566319da2b4af8e21b8b1", "name": "What is the Real Relationship between WordPress Hackers and Malicious Adtech?", "description": "Infoblox offers a comprehensive guide to key market solutions, as well as product reviews and product previews, for sale on the web, at www.infobox. \u00c2\u00a31.", "modified": "2025-07-20T13:04:56.925000", "created": "2025-06-20T13:46:25.849000", "tags": [ "vextrio", "help tds", "november", "tdss", "los pollos", "dns txt", "august", "december", "strong", "june", "april", "february", "cloud", "keitaro", "contact", "tools", "speed", "protect", "service", "evolution", "android", "virustotal", "clearfake", "telegram", "push", "cloudy", "cyber", "txt record", "tds", "operators", "disposable tds", "dollyway", "wordpress" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/" ], "public": 1, "adversary": "Cyber", "targeted_countries": [], "malware_families": [ { "id": "TXT Record", "display_name": "TXT Record", "target": null }, { "id": "TDS", "display_name": "TDS", "target": null }, { "id": "Operators", "display_name": "Operators", "target": null }, { "id": "Disposable TDS", "display_name": "Disposable TDS", "target": null }, { "id": "DollyWay", "display_name": "DollyWay", "target": null }, { "id": "WordPress", "display_name": "WordPress", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 3, "domain": 41, "hostname": 45 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ecomicrolab.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ecomicrolab.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://ecomicrolab.com/?u=script", "status": "offline", "threat": "malware_download", "date_added": "2025-06-20", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780238113.5911255 }