{ "type": "Domain", "indicator": "ewtp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ewtp.com", "alexa": "http://www.alexa.com/siteinfo/ewtp.com", "indicator": "ewtp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3442439347, "indicator": "ewtp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f843a4a497dd63885733c", "name": "Outbreak | https://www.hybrid-analysis.com/", "description": "I'm being redirected. I'm not sure what if Hybrid Analysis is attacked. It's more likely I'm under attack and being redirected or Hybrid Analysis is an unsafe site.", "modified": "2023-12-23T16:04:30.209000", "created": "2023-11-23T16:56:26.142000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "collections", "bundled", "referrer", "historical", "whois whois", "whois", "startpage", "project", "skynet", "trickbot", "execution", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "malware", "united", "heur", "phishing", "cyber threat", "engineering", "maltiverse", "control server", "team", "malicious site", "emotet", "cobalt strike", "pony", "download", "squirrelwaffle", "binder", "suppobox", "virut", "ramnit", "dropper", "virustotal", "formbook", "facebook", "artemis", "azorult", "mirai", "nanocore", "bradesco", "cisco umbrella", "site", "alexa top", "malware site", "million", "safe site", "phishing site", "alexa", "unsafe", "cleaner", "riskware", "downloader", "redirector", "nircmd", "gandcrab", "iframe", "occamy", "opencandy", "alinaos", "casur", "networm", "patcher", "outbreak", "iobit", "rostpay", "exploit", "downldr", "mimikatz", "agent", "malcert", "installcore", "predator", "mywebsearch", "kuaizip", "funshion", "presenoker", "fusioncore", "conduit", "generic", "trojan", "crack", "blacklist https", "zt7t3wzz", "locky", "tulach" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 818, "URL": 2817, "FileHash-MD5": 563, "FileHash-SHA1": 312, "FileHash-SHA256": 2529, "domain": 481, "CVE": 10 }, "indicator_count": 7530, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e254b734f1efd8bd0ad", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "", "modified": "2023-12-06T15:07:17.380000", "created": "2023-12-06T15:07:17.380000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1645, "URL": 8598, "domain": 1004, "hostname": 2066, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708d657f0895a860febf8f", "name": "SafeFrame Container", "description": "", "modified": "2023-12-06T15:04:05.932000", "created": "2023-12-06T15:04:05.932000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1416, "domain": 2979, "URL": 8250, "hostname": 2262 }, "indicator_count": 14907, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280921bfbaf2aace62511f1", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "Alibaba", "modified": "2022-06-14T00:00:05.659000", "created": "2022-05-15T05:39:39.040000", "tags": [ "typeerror", "object", "typeof t", "symbol", "typeof e", "typeof self", "webpackrequire", "typeof n", "json", "math", "body", "copyright", "apoorv saxena", "typeof", "typeof define", "detect ie", "typeof document", "substring", "\u963f\u91cc\u5df4\u5df4\uff0c1688\uff0c\u5fae\u5546\uff0c\u5fae\u5e97\uff0c\u8d27\u6e90\uff0c\u5973\u88c5\u6279\u53d1\uff0c\u7537\u88c5\uff0cb2b\uff0c\u6279\u53d1\uff0c\u91c7\u8d2d", "typeof symbol", "promise", "error", "date", "createclass", "array", "this", "typeof lib", "null", "mozilla", "regexp", "typeof require", "xmlhttprequest", "license", "xdomainrequest", "aplusscore", "s1e4", "cfunction", "html5", "span", "button", "android", "jupdate", "void", "webview", "kraken", "nundefined", "xfunction", "zfunction", "chrome", "xuexi", "nullj", "area", "mtopwvplugin", "activexobject", "post", "options", "function", "head", "delete", "false", "trace", "patch", "unknown", "alipay", "ff6a00", "opacity100", "opacity0", "f2f3f7", "e6e7eb", "f7f8fa", "helvetica neue", "helvetica", "tahoma", "arial", "\u963f\u91cc\u5df4\u5df4\uff0c\u91c7\u8d2d\u6279\u53d1\uff0c1688\uff0c\u884c\u4e1a\u95e8\u6237\uff0c\u7f51\u4e0a\u8d38\u6613\uff0cb2b\uff0c\u7535\u5b50\u5546\u52a1\uff0c\u5185\u8d38\uff0c\u5916\u8d38\uff0c\u6279\u53d1\uff0c\u884c\u4e1a\u8d44\u8baf\uff0c\u7f51\u4e0a\u8d38\u6613\uff0c\u7f51\u4e0a\u4ea4\u6613\uff0c\u4ea4\u6613\u5e02\u573a\uff0c\u5728", "1688", "1000", "yunos", "lazada", "http response", "gmt contenttype", "vary" ], "references": [ "xfe-URL-1688.com-stix2-2.1-export.json", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://page.1688.com/shtml/static/wrongpage.html", "http://polyfill.alicdn.com/", "xfe-URL-Alijk.com-stix2-2.1-export.json", "http://i.alicdn.com/", "http://is.alicdn.com/", "http://1688.com/", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8598, "hostname": 2066, "domain": 1004, "FileHash-SHA256": 1645, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62752a3d78ce35783bfc85cc", "name": "SafeFrame Container", "description": "If you want to know what is going to happen when you create a non-iterable object, try these three pieces of code in the form of a new \"word\" or \"phrase\".", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T14:01:33.267000", "tags": [ "public", "typeof", "typeof define", "array", "typeerror", "typeof symbol", "error", "typeof enulle", "sdkversion", "internal", "date", "cnzzdata", "czuuid", "umdistinctid", "typeof e", "typeof t", "version", "swiper", "most", "copyright", "mit license", "april", "trident", "win32", "class", "lh", "vd", "function", "overlaylevel", "zdhxiong", "customevent", "symbol", "object", "string", "number", "null", "uint8array", "typeof b", "iframe", "android", "embed", "meta", "0x14a", "0x104", "0x97", "0xe1", "0x228", "0x12b", "0x14e", "0xf5", "0x11a", "0xc6", "sxa0", "typeof d", "closure library", "array int8array", "b1342177279", "regexp", "typeof r", "pseudo", "child", "typeof n", "template", "void", "this", "ienew ca", "quota", "aafunction", "dafunction", "gc", "trackpageview", "trackevent", "gtmmdcvhgd", "node", "element", "path", "reduceright", "p420", "gc3w7t6h5qw", "kafunction", "fafafa", "xlfunction", "kkfunction", "nkfunction", "qkfunction", "rkfunction", "skfunction", "span", "edge", "bad idp", "bad event", "crios", "invalid attempt", "afunction", "ufunction", "kfunction" ], "references": [ "xfe-URL-himado.com-stix2-2.1-export.json", "xfe-IP-146.148.236.187-stix2-2.1-export.json", "xfe-URL-Psychz.net-stix2-2.1-export.json", "https://cdn.ampproject.org/rtv/012204221712000/amp4ads-host-v0.js", "https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.iTmf4rxOyWc.O/m=auth2/rt=j/sv=1/d=1/ed=1/rs=AHpOoo-LTnDn-AS2QlMWYZdnaV1OuFR7Iw/cb=gapi.loaded_0?le=scs", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_page_level_ads_2022050201.js", "https://www.googletagmanager.com/gtag/js?id=G-C3W7T6H5QW&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-MDCVHGD", "https://www.googletagmanager.com/gtag/js?id=UA-122335014-2", "https://himado.com/heihei/layui/layui.all.js", "https://securepubads.g.doubleclick.net/tag/js/gpt.js", "https://himado.com/cdn-cgi/challenge-platform/h/g/scripts/invisible.js?ts=1651842000", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_2022050201.js", "https://himado.com/heihei/node_modules/mdui/dist/js/mdui.min.js", "https://himado.com/heihei/js/swiper.min.js", "https://cdn.onesignal.com/sdks/OneSignalSDK.js", "https://c.cnzz.com/core.php?web_id=1280305902&t=z", "https://s4.cnzz.com/z_stat.php?id=1280305902&web_id=1280305902", "https://www.gstatic.com/firebasejs/8.1.2/firebase-app.js", "https://281cecd8ae73dff542e13679e60d5fb9.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html", "xfe-URL-Cnzz.com-stix2-2.1-export.json", "xfe-URL-Aliyun.com-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lh", "display_name": "Lh", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2262, "URL": 8251, "FileHash-SHA256": 1416, "domain": 2979 }, "indicator_count": 14908, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "https://himado.com/heihei/node_modules/mdui/dist/js/mdui.min.js", "https://www.gstatic.com/firebasejs/8.1.2/firebase-app.js", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com", "https://page.1688.com/shtml/static/wrongpage.html", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_page_level_ads_2022050201.js", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://himado.com/heihei/layui/layui.all.js", "https://cdn.ampproject.org/rtv/012204221712000/amp4ads-host-v0.js", "xfe-URL-Psychz.net-stix2-2.1-export.json", "https://himado.com/heihei/js/swiper.min.js", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_2022050201.js", "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://c.cnzz.com/core.php?web_id=1280305902&t=z", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "xfe-URL-Alijk.com-stix2-2.1-export.json", "xfe-URL-Aliyun.com-stix2-2.1-export.json", "xfe-URL-himado.com-stix2-2.1-export.json", "xfe-URL-Cnzz.com-stix2-2.1-export.json", "https://s4.cnzz.com/z_stat.php?id=1280305902&web_id=1280305902", "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "http://i.alicdn.com/", "https://securepubads.g.doubleclick.net/tag/js/gpt.js", "https://himado.com/cdn-cgi/challenge-platform/h/g/scripts/invisible.js?ts=1651842000", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "xfe-IP-146.148.236.187-stix2-2.1-export.json", "https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.iTmf4rxOyWc.O/m=auth2/rt=j/sv=1/d=1/ed=1/rs=AHpOoo-LTnDn-AS2QlMWYZdnaV1OuFR7Iw/cb=gapi.loaded_0?le=scs", "https://cdn.onesignal.com/sdks/OneSignalSDK.js", "xfe-URL-1688.com-stix2-2.1-export.json", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "http://is.alicdn.com/", "https://www.googletagmanager.com/gtag/js?id=UA-122335014-2", "http://1688.com/", "https://281cecd8ae73dff542e13679e60d5fb9.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html", "http://polyfill.alicdn.com/", "https://www.googletagmanager.com/gtm.js?id=GTM-MDCVHGD", "https://www.googletagmanager.com/gtag/js?id=G-C3W7T6H5QW&l=dataLayer&cx=c" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Htbot", "Mirai", "Vd", "Autoit", "Locky", "Lh", "Tulach", "Reduceright", "Maltiverse", "Backdoor:win32/tofsee", "Gc" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "693de4a8a72cf95b028365f0", "name": "Bot Block 162.159.128.0/19 | X Fake tweets | Tofsee", "description": "Tofsee.Trojan.T malware infection affects infected devices. \n\n\n#unlocked #injection #dead_host #compromised_devices #folk_in _browser #botnets", "modified": "2026-01-12T21:02:35.560000", "created": "2025-12-13T22:11:52.474000", "tags": [ "network", "ip address", "subnet", "dynamicloader", "port", "destination", "high", "windows", "united", "write", "tofsee", "stream", "win64", "push", "urls", "url analysis", "dnssec", "script domains", "encrypt", "url add", "http", "related nids", "flag united", "germany", "address google", "passive dns", "ipv4 add", "files", "asn as13335", "dns resolutions", "domains top", "level", "unique tlds", "location united", "asn asnone", "present dec", "backdoor", "lowfi", "win32autoit mar", "urls show", "date checked", "connection", "httponly", "secure", "path", "expiressat", "dynamic cfray", "medium", "delete c", "displayname", "show", "unknown", "next", "rndhex", "malware", "cname", "next associated", "url hostname", "server response", "google safe", "read c", "unicode", "png image", "rgba", "memcommit", "dock", "execution", "files location", "china flag", "china hostname", "hostname", "domain", "files ip", "address", "asn as45102", "gmt content", "certificate", "associated urls", "location china", "china asn", "as4808 china", "present aug", "object", "present apr", "present oct", "alman", "present sep", "error", "present jul", "rmndrp", "present feb", "expiration", "url https", "url http", "iocs", "review iocs", "expireswed", "samesitenone", "maxage86400", "maxage0", "server", "expires", "victina nulcac", "data upload", "extraction", "enter", "enter source", "url data", "type", "extract indic", "included iocs", "china unknown", "botnet", "folk in browser", "japan unknown", "asnone country", "as13335", "a domains", "script urls", "servers", "title", "moved", "record value", "entries", "whitelisted", "powershell", "xf9xb5xf9", "xxcexf6x8fr", "k2xe7xcbxxeaxa2", "x99x19", "x88yxf9xc858", "x83x12x8da", "zx9bx8ex84", "attempts", "yara detections", "contacted", "tags none", "file type", "pe packer", "dll compilation", "guard", "botnets" ], "references": [ "https://x.com/DenverPolice/status/1999710339584475507?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet", "x.com | 162.159.140.229 (162.159.128.0/19) AS 13335 ( CLOUDFLARENET )", "foundry.neconsside.com \u2022 http://foundry.neconsside.com", "http://foundry.neconsside.com/ \u2022 https://foundry.neconsside.com \u2022 https://foundry.neconsside", "IT Mirai | https://otx.alienvault.com/indicator/domain/miraitranslate.com" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America", "Russian Federation", "T\u00fcrkiye", "Netherlands" ], "malware_families": [ { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "AutoIT", "display_name": "AutoIT", "target": null }, { "id": "HtBot", "display_name": "HtBot", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8145, "domain": 1389, "FileHash-SHA256": 1545, "CIDR": 2, "hostname": 2533, "FileHash-MD5": 209, "FileHash-SHA1": 190, "email": 6, "SSLCertFingerprint": 4 }, "indicator_count": 14023, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655f843a4a497dd63885733c", "name": "Outbreak | https://www.hybrid-analysis.com/", "description": "I'm being redirected. I'm not sure what if Hybrid Analysis is attacked. It's more likely I'm under attack and being redirected or Hybrid Analysis is an unsafe site.", "modified": "2023-12-23T16:04:30.209000", "created": "2023-11-23T16:56:26.142000", "tags": [ "whois record", "ssl certificate", "contacted", "historical ssl", "collections", "bundled", "referrer", "historical", "whois whois", "whois", "startpage", "project", "skynet", "trickbot", "execution", "generic malware", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "malware", "united", "heur", "phishing", "cyber threat", "engineering", "maltiverse", "control server", "team", "malicious site", "emotet", "cobalt strike", "pony", "download", "squirrelwaffle", "binder", "suppobox", "virut", "ramnit", "dropper", "virustotal", "formbook", "facebook", "artemis", "azorult", "mirai", "nanocore", "bradesco", "cisco umbrella", "site", "alexa top", "malware site", "million", "safe site", "phishing site", "alexa", "unsafe", "cleaner", "riskware", "downloader", "redirector", "nircmd", "gandcrab", "iframe", "occamy", "opencandy", "alinaos", "casur", "networm", "patcher", "outbreak", "iobit", "rostpay", "exploit", "downldr", "mimikatz", "agent", "malcert", "installcore", "predator", "mywebsearch", "kuaizip", "funshion", "presenoker", "fusioncore", "conduit", "generic", "trojan", "crack", "blacklist https", "zt7t3wzz", "locky", "tulach" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Locky", "display_name": "Locky", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 818, "URL": 2817, "FileHash-MD5": 563, "FileHash-SHA1": 312, "FileHash-SHA256": 2529, "domain": 481, "CVE": 10 }, "indicator_count": 7530, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "890 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e254b734f1efd8bd0ad", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "", "modified": "2023-12-06T15:07:17.380000", "created": "2023-12-06T15:07:17.380000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1645, "URL": 8598, "domain": 1004, "hostname": 2066, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708d657f0895a860febf8f", "name": "SafeFrame Container", "description": "", "modified": "2023-12-06T15:04:05.932000", "created": "2023-12-06T15:04:05.932000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1416, "domain": 2979, "URL": 8250, "hostname": 2262 }, "indicator_count": 14907, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280921bfbaf2aace62511f1", "name": "1688.com .. 404-\u963f\u91cc\u5df4\u5df4", "description": "Alibaba", "modified": "2022-06-14T00:00:05.659000", "created": "2022-05-15T05:39:39.040000", "tags": [ "typeerror", "object", "typeof t", "symbol", "typeof e", "typeof self", "webpackrequire", "typeof n", "json", "math", "body", "copyright", "apoorv saxena", "typeof", "typeof define", "detect ie", "typeof document", "substring", "\u963f\u91cc\u5df4\u5df4\uff0c1688\uff0c\u5fae\u5546\uff0c\u5fae\u5e97\uff0c\u8d27\u6e90\uff0c\u5973\u88c5\u6279\u53d1\uff0c\u7537\u88c5\uff0cb2b\uff0c\u6279\u53d1\uff0c\u91c7\u8d2d", "typeof symbol", "promise", "error", "date", "createclass", "array", "this", "typeof lib", "null", "mozilla", "regexp", "typeof require", "xmlhttprequest", "license", "xdomainrequest", "aplusscore", "s1e4", "cfunction", "html5", "span", "button", "android", "jupdate", "void", "webview", "kraken", "nundefined", "xfunction", "zfunction", "chrome", "xuexi", "nullj", "area", "mtopwvplugin", "activexobject", "post", "options", "function", "head", "delete", "false", "trace", "patch", "unknown", "alipay", "ff6a00", "opacity100", "opacity0", "f2f3f7", "e6e7eb", "f7f8fa", "helvetica neue", "helvetica", "tahoma", "arial", "\u963f\u91cc\u5df4\u5df4\uff0c\u91c7\u8d2d\u6279\u53d1\uff0c1688\uff0c\u884c\u4e1a\u95e8\u6237\uff0c\u7f51\u4e0a\u8d38\u6613\uff0cb2b\uff0c\u7535\u5b50\u5546\u52a1\uff0c\u5185\u8d38\uff0c\u5916\u8d38\uff0c\u6279\u53d1\uff0c\u884c\u4e1a\u8d44\u8baf\uff0c\u7f51\u4e0a\u8d38\u6613\uff0c\u7f51\u4e0a\u4ea4\u6613\uff0c\u4ea4\u6613\u5e02\u573a\uff0c\u5728", "1688", "1000", "yunos", "lazada", "http response", "gmt contenttype", "vary" ], "references": [ "xfe-URL-1688.com-stix2-2.1-export.json", "xfe-IP-47.89.52.178-stix2-2.1-export.json", "https://page.1688.com/shtml/static/wrongpage.html", "http://polyfill.alicdn.com/", "xfe-URL-Alijk.com-stix2-2.1-export.json", "http://i.alicdn.com/", "http://is.alicdn.com/", "http://1688.com/", "https://mind.1688.com/wap/wapsy/dke4eosa0/index.html?no_cache=true&pageId=1150842&cms_id=1150842&src=desktop", "xfe-URL-mind.1688.com-stix2-2.1-export.json", "https://g.alicdn.com/secdev/sufei_data/3.9.9/index.js", "https://g.alicdn.com/alilog/mlog/aplus_wap.js", "https://mind.1688.com/zsh/zsh/d9my57ugj/index.html", "https://gw.alipayobjects.com/os/lib/lozad/1.16.0/dist/lozad.min.js", "http://g.alicdn.com/assets-group/croco/0.0.8/index.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8598, "hostname": 2066, "domain": 1004, "FileHash-SHA256": 1645, "FileHash-MD5": 3 }, "indicator_count": 13316, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62752a3d78ce35783bfc85cc", "name": "SafeFrame Container", "description": "If you want to know what is going to happen when you create a non-iterable object, try these three pieces of code in the form of a new \"word\" or \"phrase\".", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T14:01:33.267000", "tags": [ "public", "typeof", "typeof define", "array", "typeerror", "typeof symbol", "error", "typeof enulle", "sdkversion", "internal", "date", "cnzzdata", "czuuid", "umdistinctid", "typeof e", "typeof t", "version", "swiper", "most", "copyright", "mit license", "april", "trident", "win32", "class", "lh", "vd", "function", "overlaylevel", "zdhxiong", "customevent", "symbol", "object", "string", "number", "null", "uint8array", "typeof b", "iframe", "android", "embed", "meta", "0x14a", "0x104", "0x97", "0xe1", "0x228", "0x12b", "0x14e", "0xf5", "0x11a", "0xc6", "sxa0", "typeof d", "closure library", "array int8array", "b1342177279", "regexp", "typeof r", "pseudo", "child", "typeof n", "template", "void", "this", "ienew ca", "quota", "aafunction", "dafunction", "gc", "trackpageview", "trackevent", "gtmmdcvhgd", "node", "element", "path", "reduceright", "p420", "gc3w7t6h5qw", "kafunction", "fafafa", "xlfunction", "kkfunction", "nkfunction", "qkfunction", "rkfunction", "skfunction", "span", "edge", "bad idp", "bad event", "crios", "invalid attempt", "afunction", "ufunction", "kfunction" ], "references": [ "xfe-URL-himado.com-stix2-2.1-export.json", "xfe-IP-146.148.236.187-stix2-2.1-export.json", "xfe-URL-Psychz.net-stix2-2.1-export.json", "https://cdn.ampproject.org/rtv/012204221712000/amp4ads-host-v0.js", "https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.iTmf4rxOyWc.O/m=auth2/rt=j/sv=1/d=1/ed=1/rs=AHpOoo-LTnDn-AS2QlMWYZdnaV1OuFR7Iw/cb=gapi.loaded_0?le=scs", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_page_level_ads_2022050201.js", "https://www.googletagmanager.com/gtag/js?id=G-C3W7T6H5QW&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtm.js?id=GTM-MDCVHGD", "https://www.googletagmanager.com/gtag/js?id=UA-122335014-2", "https://himado.com/heihei/layui/layui.all.js", "https://securepubads.g.doubleclick.net/tag/js/gpt.js", "https://himado.com/cdn-cgi/challenge-platform/h/g/scripts/invisible.js?ts=1651842000", "https://securepubads.g.doubleclick.net/gpt/pubads_impl_2022050201.js", "https://himado.com/heihei/node_modules/mdui/dist/js/mdui.min.js", "https://himado.com/heihei/js/swiper.min.js", "https://cdn.onesignal.com/sdks/OneSignalSDK.js", "https://c.cnzz.com/core.php?web_id=1280305902&t=z", "https://s4.cnzz.com/z_stat.php?id=1280305902&web_id=1280305902", "https://www.gstatic.com/firebasejs/8.1.2/firebase-app.js", "https://281cecd8ae73dff542e13679e60d5fb9.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html", "xfe-URL-Cnzz.com-stix2-2.1-export.json", "xfe-URL-Aliyun.com-stix2-2.1-export.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lh", "display_name": "Lh", "target": null }, { "id": "Gc", "display_name": "Gc", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2262, "URL": 8251, "FileHash-SHA256": 1416, "domain": 2979 }, "indicator_count": 14908, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "1457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ewtp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ewtp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780329381.1532888 }