{ "type": "Domain", "indicator": "espcomp.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/espcomp.net", "alexa": "http://www.alexa.com/siteinfo/espcomp.net", "indicator": "espcomp.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3377712256, "indicator": "espcomp.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6628ad5e718181a38855f2bf", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was orchestrated by a threat actor with possible ties to Kimsuky, a North Korean APT group. Two different types of backdoors were found, targeting large corporate networks. One provided SMB scanning and lateral movement, while the other was modular, accepting commands to install additional modules and scanning for private keys and cryptocurrency wallets. Interestingly, the final payload was also XMRig, a coinminer, which is unexpected for such a sophisticated operation.", "modified": "2024-05-24T06:05:46.885000", "created": "2024-04-24T06:57:34.207000", "tags": [ "backdoor", "coinminer", "xmrig", "GuptiMiner" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1592.002", "name": "Software", "display_name": "T1592.002 - Software" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 354, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 26, "URL": 6, "domain": 9 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 386961, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628fda86b927254e8339e26", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining - Avast Threat Labs", "description": "The GuptiMiner malware is a highly sophisticated threat that hijacks antivirus updates to distribute backdoors and coinminers, Avast has discovered and analyzed. in its analysis.", "modified": "2024-05-24T12:02:06.013000", "created": "2024-04-24T12:40:08.699000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 8, "domain": 10 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628e0114b76d53b1314a856", "name": "Hackers hijack antivirus updates to drop GuptiMiner malware", "description": "North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. Researchers describe GuptiMiner as \"a highly sophisticated threat\" that can perform DNS requests to the attacker's DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.", "modified": "2024-05-24T10:00:29.863000", "created": "2024-04-24T10:33:53.726000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 332, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628cd01dc7388f7fe881212", "name": "CERT-UA", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-24T09:12:33.549000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662f2acd77f2b5b89a0aeb50", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-29T05:06:21.569000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6628cd01dc7388f7fe881212", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b209f4550b92383fbefad", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-05-08T06:50:07.715000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "662f2acd77f2b5b89a0aeb50", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6629b7d7bc2505e53319f155", "name": "Antivirus updates highjacked to distribute backdoors", "description": "", "modified": "2024-04-25T01:54:31.492000", "created": "2024-04-25T01:54:31.492000", "tags": [], "references": [ "April 25th, 2024 - CryptoGen Cyber Threat Intelligence Advisory #4324 - Antivirus updates highjacked to distribute backdoors.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 17, "URL": 1, "domain": 8, "hostname": 38 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "768 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662813295cb0ba4309c3c945", "name": "GuptiMiner malware", "description": "", "modified": "2024-04-23T19:59:37.191000", "created": "2024-04-23T19:59:37.191000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 24, "domain": 8, "hostname": 37 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "770 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "620b4f237184ada12927d3aa", "name": "NewDom-1-20220215", "description": "ICANN-Dom", "modified": "2022-04-01T00:01:54.852000", "created": "2022-02-15T06:58:43.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 204, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining", "April 25th, 2024 - CryptoGen Cyber Threat Intelligence Advisory #4324 - Antivirus updates highjacked to distribute backdoors.pdf", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/", "https://cert.gov.ua/article/6278706" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [ "Xmrig" ], "industries": [] }, "other": { "adversary": [ "DNS" ], "malware_families": [ "Guptiminer", "Homuwitch", "Modular", "Lazarus", "Utc", "Kimsuky" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6628ad5e718181a38855f2bf", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. The campaign was orchestrated by a threat actor with possible ties to Kimsuky, a North Korean APT group. Two different types of backdoors were found, targeting large corporate networks. One provided SMB scanning and lateral movement, while the other was modular, accepting commands to install additional modules and scanning for private keys and cryptocurrency wallets. Interestingly, the final payload was also XMRig, a coinminer, which is unexpected for such a sophisticated operation.", "modified": "2024-05-24T06:05:46.885000", "created": "2024-04-24T06:57:34.207000", "tags": [ "backdoor", "coinminer", "xmrig", "GuptiMiner" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1592.002", "name": "Software", "display_name": "T1592.002 - Software" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 354, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 26, "URL": 6, "domain": 9 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 386961, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628fda86b927254e8339e26", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining - Avast Threat Labs", "description": "The GuptiMiner malware is a highly sophisticated threat that hijacks antivirus updates to distribute backdoors and coinminers, Avast has discovered and analyzed. in its analysis.", "modified": "2024-05-24T12:02:06.013000", "created": "2024-04-24T12:40:08.699000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 8, "domain": 10 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628e0114b76d53b1314a856", "name": "Hackers hijack antivirus updates to drop GuptiMiner malware", "description": "North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. Researchers describe GuptiMiner as \"a highly sophisticated threat\" that can perform DNS requests to the attacker's DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.", "modified": "2024-05-24T10:00:29.863000", "created": "2024-04-24T10:33:53.726000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 332, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628cd01dc7388f7fe881212", "name": "CERT-UA", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-24T09:12:33.549000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662f2acd77f2b5b89a0aeb50", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-29T05:06:21.569000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6628cd01dc7388f7fe881212", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "espcomp.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "espcomp.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780434172.5229986 }