{ "type": "Domain", "indicator": "edfuture.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/edfuture.com", "alexa": "http://www.alexa.com/siteinfo/edfuture.com", "indicator": "edfuture.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4064103641, "indicator": "edfuture.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69430d7dd15ada5cf6e88f2e", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-17T20:07:25.299000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "APT28", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681113e0e23f344e6f364fb1", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-29T18:01:04.133000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 386540, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69439349843fc33b8cb09231", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-18T05:38:17.560000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6943a5a76c7e0f7147e019ed", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-18T06:56:39.450000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6944b3cc90980c4317560074", "name": "IOC - BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-19T02:09:16.070000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b7812e882b4345a4d3a34", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-24T05:20:18.033000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818de9f2cd48e06f1507998", "name": "MintsLoader", "description": "MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download\ncampaigns as early as 2024. The loader commonly deploys second-stage payloads such as\nGhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing)\nclient. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and\nPowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain\ngeneration algorithm (DGA), and HTTP-based command-and-control (C2) communications.", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-05T15:51:59.660000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c57c4b9f1412274b9a51d", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-08T07:05:40.216000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6818de9f2cd48e06f1507998", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d952c8bca2dc530ab73cb", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-09T05:39:56.696000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "681c57c4b9f1412274b9a51d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811c44c0d8cde7d41dfc3f8", "name": "IOC&TTP - Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "MintsLoader \u662f\u4e00\u79cd\u81ea 2024 \u5e74\u8d77\u5728\u9493\u9c7c\u90ae\u4ef6\u548c\u201c\u5047\u66f4\u65b0\u201d\u9a71\u52a8\u4e0b\u8f7d\u6d3b\u52a8\u4e2d\u88ab\u5e7f\u6cdb\u6295\u653e\u7684\u591a\u9636\u6bb5\u6076\u610f\u52a0\u8f7d\u5668\u3002\u5b83\u5148\u4ee5\u9ad8\u5ea6\u6df7\u6dc6\u7684 JavaScript \u548c PowerShell \u811a\u672c\u4e3a\u8f7d\u4f53\uff0c\u901a\u8fc7\u6c99\u7bb1/\u865a\u62df\u673a\u9003\u9038\u4e0e\u57fa\u4e8e\u65e5\u671f\u7684 DGA \u57df\u540d\u9690\u85cf C2 \u57fa\u7840\u8bbe\u65bd\uff0c\u968f\u540e\u4e0b\u53d1\u4e8c\u9636\u6bb5\u6709\u6548\u8f7d\u8377\uff08GhostWeaver\u3001StealC\u3001\u7ecf\u4fee\u6539\u7684 BOINC \u5ba2\u6237\u7aef\u7b49\uff09\u3002\u76ee\u524d\u5df2\u77e5\u7684\u6295\u653e\u6e20\u9053\u5305\u62ec TAG-124 \uff08LandUpdate808\uff09\u9488\u5bf9\u5de5\u4e1a\u3001\u80fd\u6e90\u53ca\u6cd5\u5f8b\u884c\u4e1a\u7684\u9c7c\u53c9\u5f0f\u90ae\u4ef6\u3001SocGholish\uff08FakeUpdates\uff09\u7be1\u6539\u7f51\u7ad9\u7684\u4f2a\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u4ee5\u53ca\u5229\u7528\u610f\u5927\u5229 PEC \u8ba4\u8bc1\u90ae\u7bb1\u6295\u9012\u7684\u201c\u53d1\u7968\u201d\u4e3b\u9898\u90ae\u4ef6\u3002\u7531\u4e8e\u6301\u7eed\u4f7f\u7528\u4ee3\u7801\u6df7\u6dc6\u3001\u73af\u5883\u63a2\u6d4b\u4e0e\u52a8\u6001\u57fa\u7840\u8bbe\u65bd\uff0cMintsLoader \u7ed9\u9759\u6001/\u884c\u4e3a\u68c0\u6d4b\u5e26\u6765\u6311\u6218\uff0c\u4f46\u5176\u57fa\u4e8e HTTP \u7684\u901a\u4fe1\u4e5f\u4e3a\u9632\u5fa1\u65b9\u63d0\u4f9b\u4e86\u53ef\u76d1\u6d4b\u9762\u3002", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-30T06:33:48.612000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a0bba01c2436ac892d3c", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "", "modified": "2025-05-29T18:05:10.830000", "created": "2025-05-12T07:18:19.466000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting", "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet", "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "related": { "alienvault": { "adversary": [ "TAG-124", "APT28" ], "malware_families": [ "Ghostweaver", "Asyncrat", "Stealc", "Mintsloader" ], "industries": [ "Manufacturing", "Energy", "Legal" ] }, "other": { "adversary": [ "TAG-124", "BlueDelta" ], "malware_families": [ "Ghostweaver", "Asyncrat", "Stealc", "Mintsloader" ], "industries": [ "Manufacturing", "Energy", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69430d7dd15ada5cf6e88f2e", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "Between June 2024 and April 2025, a sustained credential-harvesting campaign targeting UKR.NET users was identified, attributed to the Russian state-sponsored threat group BlueDelta. The group deployed multiple credential-harvesting pages themed as UKR.NET login portals, leveraging free web services and proxy tunneling platforms to collect user credentials. BlueDelta distributed PDF lures with embedded links to evade detection. The campaign demonstrates the group's adaptability and persistent focus on Ukrainian user credentials for intelligence purposes. Infrastructure changes, including the transition to ngrok and Serveo, reflect responses to takedown efforts. The activity highlights the GRU's continued interest in compromising Ukrainian credentials amid ongoing conflict.", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-17T20:07:25.299000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "APT28", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681113e0e23f344e6f364fb1", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-29T18:01:04.133000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 386540, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69439349843fc33b8cb09231", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-18T05:38:17.560000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6943a5a76c7e0f7147e019ed", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-18T06:56:39.450000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6944b3cc90980c4317560074", "name": "IOC - BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-19T02:09:16.070000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b7812e882b4345a4d3a34", "name": "BlueDelta\u2019s Persistent Campaign Against UKR.NET", "description": "", "modified": "2026-01-16T20:00:05.146000", "created": "2025-12-24T05:20:18.033000", "tags": [ "phishing", "ukrainian targets", "ngrok", "proxy tunneling", "pdf lures", "gru", "russian threat actor", "webmail compromise", "ukr.net", "credential harvesting" ], "references": [ "https://www.recordedfuture.com/research/bluedeltas-persistent-campaign-against-ukrnet" ], "public": 1, "adversary": "BlueDelta", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69430d7dd15ada5cf6e88f2e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 3, "FileHash-SHA256": 22, "domain": 8, "hostname": 17 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818de9f2cd48e06f1507998", "name": "MintsLoader", "description": "MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download\ncampaigns as early as 2024. The loader commonly deploys second-stage payloads such as\nGhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing)\nclient. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and\nPowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain\ngeneration algorithm (DGA), and HTTP-based command-and-control (C2) communications.", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-05T15:51:59.660000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c57c4b9f1412274b9a51d", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-08T07:05:40.216000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6818de9f2cd48e06f1507998", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d952c8bca2dc530ab73cb", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-09T05:39:56.696000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "681c57c4b9f1412274b9a51d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811c44c0d8cde7d41dfc3f8", "name": "IOC&TTP - Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "MintsLoader \u662f\u4e00\u79cd\u81ea 2024 \u5e74\u8d77\u5728\u9493\u9c7c\u90ae\u4ef6\u548c\u201c\u5047\u66f4\u65b0\u201d\u9a71\u52a8\u4e0b\u8f7d\u6d3b\u52a8\u4e2d\u88ab\u5e7f\u6cdb\u6295\u653e\u7684\u591a\u9636\u6bb5\u6076\u610f\u52a0\u8f7d\u5668\u3002\u5b83\u5148\u4ee5\u9ad8\u5ea6\u6df7\u6dc6\u7684 JavaScript \u548c PowerShell \u811a\u672c\u4e3a\u8f7d\u4f53\uff0c\u901a\u8fc7\u6c99\u7bb1/\u865a\u62df\u673a\u9003\u9038\u4e0e\u57fa\u4e8e\u65e5\u671f\u7684 DGA \u57df\u540d\u9690\u85cf C2 \u57fa\u7840\u8bbe\u65bd\uff0c\u968f\u540e\u4e0b\u53d1\u4e8c\u9636\u6bb5\u6709\u6548\u8f7d\u8377\uff08GhostWeaver\u3001StealC\u3001\u7ecf\u4fee\u6539\u7684 BOINC \u5ba2\u6237\u7aef\u7b49\uff09\u3002\u76ee\u524d\u5df2\u77e5\u7684\u6295\u653e\u6e20\u9053\u5305\u62ec TAG-124 \uff08LandUpdate808\uff09\u9488\u5bf9\u5de5\u4e1a\u3001\u80fd\u6e90\u53ca\u6cd5\u5f8b\u884c\u4e1a\u7684\u9c7c\u53c9\u5f0f\u90ae\u4ef6\u3001SocGholish\uff08FakeUpdates\uff09\u7be1\u6539\u7f51\u7ad9\u7684\u4f2a\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u4ee5\u53ca\u5229\u7528\u610f\u5927\u5229 PEC \u8ba4\u8bc1\u90ae\u7bb1\u6295\u9012\u7684\u201c\u53d1\u7968\u201d\u4e3b\u9898\u90ae\u4ef6\u3002\u7531\u4e8e\u6301\u7eed\u4f7f\u7528\u4ee3\u7801\u6df7\u6dc6\u3001\u73af\u5883\u63a2\u6d4b\u4e0e\u52a8\u6001\u57fa\u7840\u8bbe\u65bd\uff0cMintsLoader \u7ed9\u9759\u6001/\u884c\u4e3a\u68c0\u6d4b\u5e26\u6765\u6311\u6218\uff0c\u4f46\u5176\u57fa\u4e8e HTTP \u7684\u901a\u4fe1\u4e5f\u4e3a\u9632\u5fa1\u65b9\u63d0\u4f9b\u4e86\u53ef\u76d1\u6d4b\u9762\u3002", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-30T06:33:48.612000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "edfuture.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "edfuture.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236441.2492962 }