{ "type": "Domain", "indicator": "emedjp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/emedjp.com", "alexa": "http://www.alexa.com/siteinfo/emedjp.com", "indicator": "emedjp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4169116938, "indicator": "emedjp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6989f4a0761d0f153bbb94e4", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-09T14:52:16.312000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ab634eeb2333f0dd6ea59", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-10T04:38:12.735000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6989f4a0761d0f153bbb94e4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db209bee23fd3f708fc91", "name": "Inside the EmEditor supply chain compromise", "description": "The supply chain compromise involving EmEditor illustrates sophisticated tactics employed by threat actors to manipulate software distribution. The attack unfolded in two primary phases, marked by strategic preparatory actions and the subsequent exploitation of a legitimate distribution mechanism. Initially, attackers registered look-alike command-and-control (C2) domains shortly before breaching the website and tampering with the installer downloads. Specifically, on December 19, the attackers redirected the 'Download Now' button to a backdoored installer instead of the authentic version, which was finalized prior to this date. The attackers resurfaced on December 29 to target a new version of the software, again employing freshly registered domains and signing installers with the intent to mislead users.", "modified": "2026-03-02T07:00:45.453000", "created": "2026-01-31T07:40:57.335000", "tags": [ "figure", "december", "find evil", "msi installer", "patchfile", "spectra assure", "report", "c2 domain", "spectra analyze", "compound file", "download", "april", "powershell", "encrypt", "nuget" ], "references": [ "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 24, "URL": 5, "domain": 23 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953821dc4dee11db477385b", "name": "EmEditor Supply Chain Incident Details Disclosed: Distribution of Information-Stealing Malware Sweeps Through Domestic Government and Enterprise Entities", "description": "A report by Qianxin Threat Intelligence Center on an incident involving the renowned document editor EmEditor reveals details of a large-scale information-stealing malware attack on the Chinese government and enterprise institutions.", "modified": "2026-01-29T07:03:28.109000", "created": "2025-12-30T07:41:17.644000", "tags": [ "china" ], "references": [ "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69527613bf748fc93397179c", "name": "pppppppppppppppppppp", "description": "Phonographic data, which can be accessed via a web browser, has been described as \"highly unusual\" by its owners, but it is not unusual to find a website on the site.", "modified": "2026-01-28T12:04:45.100000", "created": "2025-12-29T12:37:39.607000", "tags": [ "domain", "ip address", "hashmd5", "hashsha256", "hashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695263d9247fc4251c67c654", "name": "pppppppppppppppppppppppppp", "description": "Phonographic data, which can be accessed via a web browser, has been described as \"highly unusual\" by its owners, but it is not unusual to find a website on the site.", "modified": "2026-01-28T11:02:28.156000", "created": "2025-12-29T11:19:53.592000", "tags": [ "domain", "ip address", "hashmd5", "hashsha256", "hashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694e2c49ed072c432675e32d", "name": "IOC - EmEditor \u4f9b\u5e94\u94fe\u4e8b\u4ef6\u7ec6\u8282\u62ab\u9732\uff1a\u5206\u53d1\u7a83\u5bc6\u7279\u9a6c\u5e2d\u5377\u56fd\u5185\u653f\u4f01", "description": "2025 \u5e74 12 \u6708 23 \u65e5\uff0c\u8457\u540d\u6587\u6863\u7f16\u8f91\u5668 EmEditor \u5b98\u65b9\u53d1\u5e03\u516c\u544a\uff0c\u79f0 12 \u6708\u4efd 19 \u65e5\u81f3 22 \u65e5\u671f\u95f4\u5b98\u7f51\u5b89\u88c5\u5305\u88ab\u4f9b\u5e94\u94fe\u653b\u51fb\uff0cMSI \u5b89\u88c5\u5305\u88ab\u66ff\u6362\u6210\u5e26\u6709\u975e\u5b98\u65b9\u7b7e\u540d\u300aWALSHAM INVESTMENTS LIMITED\u300b\u7684\u6076\u610f\u5b89\u88c5\u5305", "modified": "2026-01-25T06:00:36.391000", "created": "2025-12-26T06:33:45.622000", "tags": [], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1766729918&ver=6441&signature=35xPV-1b3b*nXM*Zw7KuenkkqR3NK51dxS9mhLcq9LYWy5nvFWA0ju*Ee432-zQik1e-LRKdGQGpVeBjfIy5WAe6cbaUP5TiYUyfpmC0hpVCmTMpoasRhSVUzG833iH2&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 3, "domain": 15 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1766729918&ver=6441&signature=35xPV-1b3b*nXM*Zw7KuenkkqR3NK51dxS9mhLcq9LYWy5nvFWA0ju*Ee432-zQik1e-LRKdGQGpVeBjfIy5WAe6cbaUP5TiYUyfpmC0hpVCmTMpoasRhSVUzG833iH2&new=1", "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise", "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack", "IOCs2.csv", "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/", "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/", "IOCs.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6989f4a0761d0f153bbb94e4", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-09T14:52:16.312000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ab634eeb2333f0dd6ea59", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-10T04:38:12.735000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6989f4a0761d0f153bbb94e4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db209bee23fd3f708fc91", "name": "Inside the EmEditor supply chain compromise", "description": "The supply chain compromise involving EmEditor illustrates sophisticated tactics employed by threat actors to manipulate software distribution. The attack unfolded in two primary phases, marked by strategic preparatory actions and the subsequent exploitation of a legitimate distribution mechanism. Initially, attackers registered look-alike command-and-control (C2) domains shortly before breaching the website and tampering with the installer downloads. Specifically, on December 19, the attackers redirected the 'Download Now' button to a backdoored installer instead of the authentic version, which was finalized prior to this date. The attackers resurfaced on December 29 to target a new version of the software, again employing freshly registered domains and signing installers with the intent to mislead users.", "modified": "2026-03-02T07:00:45.453000", "created": "2026-01-31T07:40:57.335000", "tags": [ "figure", "december", "find evil", "msi installer", "patchfile", "spectra assure", "report", "c2 domain", "spectra analyze", "compound file", "download", "april", "powershell", "encrypt", "nuget" ], "references": [ "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 24, "URL": 5, "domain": 23 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953821dc4dee11db477385b", "name": "EmEditor Supply Chain Incident Details Disclosed: Distribution of Information-Stealing Malware Sweeps Through Domestic Government and Enterprise Entities", "description": "A report by Qianxin Threat Intelligence Center on an incident involving the renowned document editor EmEditor reveals details of a large-scale information-stealing malware attack on the Chinese government and enterprise institutions.", "modified": "2026-01-29T07:03:28.109000", "created": "2025-12-30T07:41:17.644000", "tags": [ "china" ], "references": [ "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69527613bf748fc93397179c", "name": "pppppppppppppppppppp", "description": "Phonographic data, which can be accessed via a web browser, has been described as \"highly unusual\" by its owners, but it is not unusual to find a website on the site.", "modified": "2026-01-28T12:04:45.100000", "created": "2025-12-29T12:37:39.607000", "tags": [ "domain", "ip address", "hashmd5", "hashsha256", "hashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695263d9247fc4251c67c654", "name": "pppppppppppppppppppppppppp", "description": "Phonographic data, which can be accessed via a web browser, has been described as \"highly unusual\" by its owners, but it is not unusual to find a website on the site.", "modified": "2026-01-28T11:02:28.156000", "created": "2025-12-29T11:19:53.592000", "tags": [ "domain", "ip address", "hashmd5", "hashsha256", "hashsha1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694e2c49ed072c432675e32d", "name": "IOC - EmEditor \u4f9b\u5e94\u94fe\u4e8b\u4ef6\u7ec6\u8282\u62ab\u9732\uff1a\u5206\u53d1\u7a83\u5bc6\u7279\u9a6c\u5e2d\u5377\u56fd\u5185\u653f\u4f01", "description": "2025 \u5e74 12 \u6708 23 \u65e5\uff0c\u8457\u540d\u6587\u6863\u7f16\u8f91\u5668 EmEditor \u5b98\u65b9\u53d1\u5e03\u516c\u544a\uff0c\u79f0 12 \u6708\u4efd 19 \u65e5\u81f3 22 \u65e5\u671f\u95f4\u5b98\u7f51\u5b89\u88c5\u5305\u88ab\u4f9b\u5e94\u94fe\u653b\u51fb\uff0cMSI \u5b89\u88c5\u5305\u88ab\u66ff\u6362\u6210\u5e26\u6709\u975e\u5b98\u65b9\u7b7e\u540d\u300aWALSHAM INVESTMENTS LIMITED\u300b\u7684\u6076\u610f\u5b89\u88c5\u5305", "modified": "2026-01-25T06:00:36.391000", "created": "2025-12-26T06:33:45.622000", "tags": [], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1766729918&ver=6441&signature=35xPV-1b3b*nXM*Zw7KuenkkqR3NK51dxS9mhLcq9LYWy5nvFWA0ju*Ee432-zQik1e-LRKdGQGpVeBjfIy5WAe6cbaUP5TiYUyfpmC0hpVCmTMpoasRhSVUzG833iH2&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 3, "domain": 15 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "emedjp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "emedjp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780267848.4490385 }