{ "type": "Domain", "indicator": "facepost.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/facepost.com", "alexa": "http://www.alexa.com/siteinfo/facepost.com", "indicator": "facepost.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4164665303, "indicator": "facepost.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a7412f9ac0b97106e70cd", "name": "GhostPairing Attacks: from phone number to full access in WhatsApp", "description": "The GhostPairing attack is a significant cyber threat that leverages the device linking feature of WhatsApp, enabling attackers to gain unauthorized access to user accounts. This campaign initially emerged in Czechia, where compromised accounts sent deceptive messages to contacts, typically involving a photo link that appeared to render as a Facebook element within WhatsApp. When users clicked these links, they were directed to a minimalistic web page bearing Facebook's branding, leading them to believe they had to verify their identity to access the content.", "modified": "2025-12-23T10:50:58.700000", "created": "2025-12-23T10:50:58.700000", "tags": [ "whatsapp", "facebook", "qr code", "whatsapp web", "whatsapp device", "facebook login", "czech", "facebook logo", "facebook viewer", "linked", "martin chlumeck\u00fd" ], "references": [ "https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "158 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack", "Book2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a7412f9ac0b97106e70cd", "name": "GhostPairing Attacks: from phone number to full access in WhatsApp", "description": "The GhostPairing attack is a significant cyber threat that leverages the device linking feature of WhatsApp, enabling attackers to gain unauthorized access to user accounts. This campaign initially emerged in Czechia, where compromised accounts sent deceptive messages to contacts, typically involving a photo link that appeared to render as a Facebook element within WhatsApp. When users clicked these links, they were directed to a minimalistic web page bearing Facebook's branding, leading them to believe they had to verify their identity to access the content.", "modified": "2025-12-23T10:50:58.700000", "created": "2025-12-23T10:50:58.700000", "tags": [ "whatsapp", "facebook", "qr code", "whatsapp web", "whatsapp device", "facebook login", "czech", "facebook logo", "facebook viewer", "linked", "martin chlumeck\u00fd" ], "references": [ "https://www.gendigital.com/blog/insights/research/ghostpairing-whatsapp-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "158 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "facepost.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "facepost.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223343.2714808 }