{ "type": "Domain", "indicator": "eflow-secure.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/eflow-secure.com", "alexa": "http://www.alexa.com/siteinfo/eflow-secure.com", "indicator": "eflow-secure.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3654001703, "indicator": "eflow-secure.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6812e7ad9b8cafc0f7fec1ce", "name": "FHS - FBI Phishing Domains Associated with LabHost PhaaS Platform Users", "description": "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world\u2019s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users. The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims worldwide. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used by recipients for research and defense.", "modified": "2025-05-31T03:01:18.057000", "created": "2025-05-01T03:17:01.551000", "tags": [ "Phishing Domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67041, "URL": 60, "hostname": 17338 }, "indicator_count": 84439, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d40723097f4c09d7724", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:28.274000", "created": "2025-05-01T15:03:28.274000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d3cd48fd389972ce061", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:24.415000", "created": "2025-05-01T15:03:24.415000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424c7c265a4c7be0ee3946a", "name": "InQuest - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:34.973000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 113, "domain": 1159, "URL": 1665, "hostname": 246, "FileHash-SHA1": 15, "FileHash-MD5": 32 }, "indicator_count": 3230, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LabHost" ], "malware_families": [ "Phishing" ], "industries": [ "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6812e7ad9b8cafc0f7fec1ce", "name": "FHS - FBI Phishing Domains Associated with LabHost PhaaS Platform Users", "description": "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world\u2019s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users. The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims worldwide. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used by recipients for research and defense.", "modified": "2025-05-31T03:01:18.057000", "created": "2025-05-01T03:17:01.551000", "tags": [ "Phishing Domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67041, "URL": 60, "hostname": 17338 }, "indicator_count": 84439, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d40723097f4c09d7724", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:28.274000", "created": "2025-05-01T15:03:28.274000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d3cd48fd389972ce061", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:24.415000", "created": "2025-05-01T15:03:24.415000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424c7c265a4c7be0ee3946a", "name": "InQuest - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:34.973000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 113, "domain": 1159, "URL": 1665, "hostname": 246, "FileHash-SHA1": 15, "FileHash-MD5": 32 }, "indicator_count": 3230, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "eflow-secure.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "eflow-secure.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780258155.9769049 }