{ "type": "Domain", "indicator": "evocouae.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/evocouae.com", "alexa": "http://www.alexa.com/siteinfo/evocouae.com", "indicator": "evocouae.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4260944445, "indicator": "evocouae.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69b14da851c481eb34355935", "name": "Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified", "description": "The ongoing Middle East crisis has given rise to opportunistic online fraudulent activities. Two main strands have been observed: confirmed government-impersonation fraud and suspicious evacuation-themed websites. Fraudsters are exploiting the confusion and urgency surrounding the crisis to launch phishing campaigns and create deceptive websites. A notable example includes an email impersonating UAE authorities, urging recipients to complete a mandatory emergency registration form. Additionally, several newly registered websites offering evacuation services from Dubai and the Gulf region have emerged, displaying characteristics commonly associated with scams. These sites use crisis-related domain names, employ urgent messaging, lack verifiable operator details, and often request unconventional payment methods. The situation highlights the need for increased vigilance and proactive monitoring of emerging digital threats during geopolitical crises.", "modified": "2026-03-17T10:52:47.638000", "created": "2026-03-11T11:10:32.339000", "tags": [ "middle east crisis", "evacuation scams", "phishing", "government impersonation", "emergency registration", "domain exploitation", "fraud", "uae", "dubai" ], "references": [ "https://www.netcraft.com/blog/middle-east-crisis-opportunistic-fraud" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b9c7bd7abb09e2f4071819", "name": "Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified", "description": "", "modified": "2026-03-17T21:29:33.858000", "created": "2026-03-17T21:29:33.858000", "tags": [ "middle east crisis", "evacuation scams", "phishing", "government impersonation", "emergency registration", "domain exploitation", "fraud", "uae", "dubai" ], "references": [ "https://www.netcraft.com/blog/middle-east-crisis-opportunistic-fraud" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69b14da851c481eb34355935", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "76 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.netcraft.com/blog/middle-east-crisis-opportunistic-fraud", "IOCs.2026.4.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69b14da851c481eb34355935", "name": "Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified", "description": "The ongoing Middle East crisis has given rise to opportunistic online fraudulent activities. Two main strands have been observed: confirmed government-impersonation fraud and suspicious evacuation-themed websites. Fraudsters are exploiting the confusion and urgency surrounding the crisis to launch phishing campaigns and create deceptive websites. A notable example includes an email impersonating UAE authorities, urging recipients to complete a mandatory emergency registration form. Additionally, several newly registered websites offering evacuation services from Dubai and the Gulf region have emerged, displaying characteristics commonly associated with scams. These sites use crisis-related domain names, employ urgent messaging, lack verifiable operator details, and often request unconventional payment methods. The situation highlights the need for increased vigilance and proactive monitoring of emerging digital threats during geopolitical crises.", "modified": "2026-03-17T10:52:47.638000", "created": "2026-03-11T11:10:32.339000", "tags": [ "middle east crisis", "evacuation scams", "phishing", "government impersonation", "emergency registration", "domain exploitation", "fraud", "uae", "dubai" ], "references": [ "https://www.netcraft.com/blog/middle-east-crisis-opportunistic-fraud" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386867, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b9c7bd7abb09e2f4071819", "name": "Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified", "description": "", "modified": "2026-03-17T21:29:33.858000", "created": "2026-03-17T21:29:33.858000", "tags": [ "middle east crisis", "evacuation scams", "phishing", "government impersonation", "emergency registration", "domain exploitation", "fraud", "uae", "dubai" ], "references": [ "https://www.netcraft.com/blog/middle-east-crisis-opportunistic-fraud" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "United Arab Emirates" ], "malware_families": [], "attack_ids": [ { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69b14da851c481eb34355935", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "76 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "evocouae.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "evocouae.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780399146.8398287 }