{ "type": "Domain", "indicator": "esoftwareupdates.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/esoftwareupdates.com", "alexa": "http://www.alexa.com/siteinfo/esoftwareupdates.com", "indicator": "esoftwareupdates.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3597435209, "indicator": "esoftwareupdates.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 24, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386658, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513b48fc15b29e096cc0883", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T04:01:31.874000", "created": "2023-09-27T04:50:23.854000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513dba95e9f04e377e80ec6", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:37:13.684000", "created": "2023-09-27T07:37:13.684000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6513d2f4bd7a777522384d5c", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d2f4bd7a777522384d5c", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:00:04.025000", "created": "2023-09-27T07:00:04.025000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d29aa4726d5d22c9dbc9", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T06:58:34.207000", "created": "2023-09-27T06:58:34.207000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a09af58f85f39cb9fdd0", "name": "Threatview.io C2 Hunt Feed", "description": "Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:03:54.265000", "tags": [ "hunter", "pm utc", "am utc", "september", "august", "february", "january", "june", "april", "october", "media", "date", "comment" ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 543, "hostname": 120 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c53d1aec63c9e5a6f3645f", "name": "Cobalt Strike C2 | 01/09/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 01/09/2023.", "modified": "2023-02-15T00:00:43.391000", "created": "2023-01-16T12:03:38.823000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63bc06609ed51a074703b359", "name": "Cobalt Strike C2 | 01/02/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 01/02/2023.", "modified": "2023-02-08T00:00:43.275000", "created": "2023-01-09T12:19:44.186000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63bc03d63eda72279eab879b", "name": "Cobalt Strike C2 | 01/02/2023", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 01/02/2023.", "modified": "2023-02-08T00:00:43.275000", "created": "2023-01-09T12:08:54.748000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63b2c83ddc33119b2fc6c1ea", "name": "Cobalt Strike C2 | 12/26/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 12/26/2022.", "modified": "2023-02-01T00:00:14.511000", "created": "2023-01-02T12:04:13.825000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63a98de79c3b4cf1cce9cc43", "name": "Cobalt Strike C2 | 12/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 12/19/2022.", "modified": "2023-01-25T00:05:56.248000", "created": "2022-12-26T12:04:55.347000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63a98de0f485bcdb3d2849e0", "name": "Cobalt Strike Servers & C2 | 12/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 12/19/2022.", "modified": "2023-01-25T00:05:56.248000", "created": "2022-12-26T12:04:48.245000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63a05385478356c1623d952d", "name": "Cobalt Strike C2 | 12/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 12/12/2022.", "modified": "2023-01-18T00:02:08.324000", "created": "2022-12-19T12:05:25.368000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63a0538209e076d8842c91f1", "name": "Cobalt Strike Servers & C2 | 12/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 12/12/2022.", "modified": "2023-01-18T00:02:08.324000", "created": "2022-12-19T12:05:22.405000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6390a50a39397effdf9895bd", "name": "ACTIVIDAD MALICIOSA | IoC referentes a Cobalt Strike", "description": "Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as \"adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\". Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.", "modified": "2023-01-06T14:01:38.020000", "created": "2022-12-07T14:36:58.354000", "tags": [ "discovery", "ta0005", "ta0003", "ta0009", "ta0004", "ta0007", "ta0008", "ta0001", "t1001", "t1003", "manipulation", "cobalt strike", "cobaltstrike", "cloud ltd", "layer inc", "cherry servers", "beacon cobalt", "andregironda", "limited", "corporation", "huawei clouds" ], "references": [ "https://threatfox.abuse.ch/browse.php?search=malware%3ACobaltStrike", "www.alertasyseguridad.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 194, "domain": 9, "hostname": 21 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "1241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt", "https://www.group-ib.com/blog/shadowsyndicate-raas/", "https://threatfox.abuse.ch/browse.php?search=malware%3ACobaltStrike", "Aug1.pdf", "www.alertasyseguridad.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "", "Cobalt strike - s0154" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 24, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386658, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "esoftwareupdates.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "esoftwareupdates.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780310035.9189463 }