{ "type": "Domain", "indicator": "expertbigworldupdate3.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/expertbigworldupdate3.com", "alexa": "http://www.alexa.com/siteinfo/expertbigworldupdate3.com", "indicator": "expertbigworldupdate3.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3995612938, "indicator": "expertbigworldupdate3.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6859c53ade762dc5dbb4004c", "name": "Amadey Loader Infrastructure Mapping: Hunting Rules and Multi-AS Campaign Analysis.", "description": "A comprehensive investigation into Amadey Loader infrastructure starting from two known C2 domains (krakenlpay.com, 212.193.31.8). The research develops effective hunting rules using resource hash pivots via urlscan.io, identifying 323 related results and uncovering consistent patterns in panel naming conventions and URL structures. Analysis reveals infrastructure concentration across specific autonomous systems (AS51381, AS57523, AS216319, AS57678, AS216309) primarily in Russia, China, Seychelles, and Hong Kong. The investigation identifies common server configurations (Nginx 1.18.0 on Ubuntu, Apache 2.4.58) and creates detection rules based on login page characteristics. Contains IOCs for 35 IP addresses and 32 domains, with notable SSH fingerprint clustering indicating shared threat actor provisioning. Includes discussion of potential evasion techniques targeting security research platforms and the growing use of Cloudflare for infrastructure protection.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:20:58.014000", "tags": [ "amadey login", "amadey loader", "censys", "lumma stealer", "redline", "mystic", "secret blizzard", "amadey", "hash pivotusing", "resource hash", "lumma" ], "references": [ "https://open.substack.com/pub/intelinsights/p/mapping-amadey-loader-infrastructure?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "China" ], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 33 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8acdfe632a32bd164cbc", "name": "Threat Intel Report - W11-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:31:25.772000", "tags": [ "mozi", "germany", "india", "china", "grouped", "vietnam", "united kingdom", "singapore", "week", "group", "indonesia", "clearfake", "asyncrat", "stealc", "smartloader", "mexico", "remcos", "malware", "date", "belarus", "ukraine", "amadey", "lockbit", "linux", "superblack", "akira" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SuperBlack", "display_name": "SuperBlack", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "FileHash-MD5": 51, "FileHash-SHA1": 51, "FileHash-SHA256": 117, "domain": 62, "hostname": 114 }, "indicator_count": 486, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3efafe0408a73fde2b6", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:07.116000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3f1b2d95f85c40b2233", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:09.554000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d5365b2f8eed9f8fa754", "name": "Threat Intel Report - W43-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:51:34.212000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6717372856bc9585bb4077a6", "name": "One of several DNS records for expertbigworldupdate.com", "description": "I am testing with Lumu and this URL appears along with similar ones, all reported on VT by some other security vendors, except Lumu. The worrying thing is the amount of contacts from my hosts to these URLs.", "modified": "2024-10-22T05:26:03.974000", "created": "2024-10-22T05:24:55.007000", "tags": [ "502 Bad Gateway" ], "references": [ "Lumu" ], "public": 1, "adversary": "expertbigworldupdate", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" } ], "industries": [ "Education" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FredyAlvarez", "id": "269088", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "586 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://open.substack.com/pub/intelinsights/p/mapping-amadey-loader-infrastructure?utm_source=share&utm_medium=android&r=5l6xoe", "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "Lumu" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "expertbigworldupdate" ], "malware_families": [ "Superblack", "Akira", "Lumma", "Linux", "Amadey", "Lockbit" ], "industries": [ "Cryptocurrency", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6859c53ade762dc5dbb4004c", "name": "Amadey Loader Infrastructure Mapping: Hunting Rules and Multi-AS Campaign Analysis.", "description": "A comprehensive investigation into Amadey Loader infrastructure starting from two known C2 domains (krakenlpay.com, 212.193.31.8). The research develops effective hunting rules using resource hash pivots via urlscan.io, identifying 323 related results and uncovering consistent patterns in panel naming conventions and URL structures. Analysis reveals infrastructure concentration across specific autonomous systems (AS51381, AS57523, AS216319, AS57678, AS216309) primarily in Russia, China, Seychelles, and Hong Kong. The investigation identifies common server configurations (Nginx 1.18.0 on Ubuntu, Apache 2.4.58) and creates detection rules based on login page characteristics. Contains IOCs for 35 IP addresses and 32 domains, with notable SSH fingerprint clustering indicating shared threat actor provisioning. Includes discussion of potential evasion techniques targeting security research platforms and the growing use of Cloudflare for infrastructure protection.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:20:58.014000", "tags": [ "amadey login", "amadey loader", "censys", "lumma stealer", "redline", "mystic", "secret blizzard", "amadey", "hash pivotusing", "resource hash", "lumma" ], "references": [ "https://open.substack.com/pub/intelinsights/p/mapping-amadey-loader-infrastructure?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "China" ], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 33 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8acdfe632a32bd164cbc", "name": "Threat Intel Report - W11-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:31:25.772000", "tags": [ "mozi", "germany", "india", "china", "grouped", "vietnam", "united kingdom", "singapore", "week", "group", "indonesia", "clearfake", "asyncrat", "stealc", "smartloader", "mexico", "remcos", "malware", "date", "belarus", "ukraine", "amadey", "lockbit", "linux", "superblack", "akira" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SuperBlack", "display_name": "SuperBlack", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "FileHash-MD5": 51, "FileHash-SHA1": 51, "FileHash-SHA256": 117, "domain": 62, "hostname": 114 }, "indicator_count": 486, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3efafe0408a73fde2b6", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:07.116000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3f1b2d95f85c40b2233", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:09.554000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d5365b2f8eed9f8fa754", "name": "Threat Intel Report - W43-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:51:34.212000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6717372856bc9585bb4077a6", "name": "One of several DNS records for expertbigworldupdate.com", "description": "I am testing with Lumu and this URL appears along with similar ones, all reported on VT by some other security vendors, except Lumu. The worrying thing is the amount of contacts from my hosts to these URLs.", "modified": "2024-10-22T05:26:03.974000", "created": "2024-10-22T05:24:55.007000", "tags": [ "502 Bad Gateway" ], "references": [ "Lumu" ], "public": 1, "adversary": "expertbigworldupdate", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AMADEY", "display_name": "AMADEY", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" } ], "industries": [ "Education" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FredyAlvarez", "id": "269088", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "586 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "expertbigworldupdate3.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "expertbigworldupdate3.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205793.189007 }