{ "type": "Domain", "indicator": "fast-node.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fast-node.com", "alexa": "http://www.alexa.com/siteinfo/fast-node.com", "indicator": "fast-node.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4147071893, "indicator": "fast-node.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a072a0676dcfed7790c60ab", "name": "Botnet_C2 | May 16, 2026", "description": "Botnet_C2 indicators. Date: May 16, 2026. Total: 1275 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:26.156000", "created": "2026-05-15T14:13:26.156000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 106, "hostname": 168, "URL": 103 }, "indicator_count": 382, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05d87e1a72136955395ca3", "name": "Botnet_C2 | May 15, 2026", "description": "Botnet_C2 indicators. Date: May 15, 2026. Total: 1254 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:18.368000", "created": "2026-05-14T14:13:18.368000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 114, "hostname": 159, "URL": 111 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01e4064798f56d423e2d96", "name": "Botnet_C2 | May 12, 2026", "description": "Botnet_C2 indicators. Date: May 12, 2026. Total: 945 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-11T14:13:26.060000", "created": "2026-05-11T14:13:26.060000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 96, "domain": 145, "URL": 124 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a00928de04e9ba4cac1d6eb", "name": "Botnet_C2 | May 11, 2026", "description": "Botnet_C2 indicators. Date: May 11, 2026. Total: 861 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-10T14:13:33.465000", "created": "2026-05-10T14:13:33.465000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 133, "hostname": 112, "domain": 125 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ff40f444f57576283e05ff", "name": "Botnet_C2 | May 10, 2026", "description": "Botnet_C2 indicators. Date: May 10, 2026. Total: 850 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-09T14:13:08.467000", "created": "2026-05-09T14:13:08.467000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 130, "hostname": 126, "domain": 107 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fe029a3de469984c8f9218", "name": "Unknown Clipper", "description": "During investigation of a ClearFake attack chain an unknown Clipper malware was spotted. It makes use of Etherhiding to load its C2 from the BSC Testnet.\nAll domains in this Pusle have been extracted from contracts related to the Wallet creating the Clipper C2 contract. It is unsure if this actor used Etherhiding uniquely for Clipper activity, so it can not be ruled out that these domains serve other malicious purposes.", "modified": "2026-05-08T15:34:50.697000", "created": "2026-05-08T15:34:50.697000", "tags": [ "Clipper", "Etherhiding", "ClearFake" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fe02960432b2cc12530282", "name": "Unknown Clipper", "description": "During investigation of a ClearFake attack chain an unknown Clipper malware was spotted. It makes use of Etherhiding to load its C2 from the BSC Testnet.\nAll domains in this Pusle have been extracted from contracts related to the Wallet creating the Clipper C2 contract. It is unsure if this actor used Etherhiding uniquely for Clipper activity, so it can not be ruled out that these domains serve other malicious purposes.", "modified": "2026-05-08T15:34:46.350000", "created": "2026-05-08T15:34:46.350000", "tags": [ "Clipper", "Etherhiding", "ClearFake" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a072a0676dcfed7790c60ab", "name": "Botnet_C2 | May 16, 2026", "description": "Botnet_C2 indicators. Date: May 16, 2026. Total: 1275 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:26.156000", "created": "2026-05-15T14:13:26.156000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 106, "hostname": 168, "URL": 103 }, "indicator_count": 382, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05d87e1a72136955395ca3", "name": "Botnet_C2 | May 15, 2026", "description": "Botnet_C2 indicators. Date: May 15, 2026. Total: 1254 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:18.368000", "created": "2026-05-14T14:13:18.368000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 114, "hostname": 159, "URL": 111 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a01e4064798f56d423e2d96", "name": "Botnet_C2 | May 12, 2026", "description": "Botnet_C2 indicators. Date: May 12, 2026. Total: 945 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-11T14:13:26.060000", "created": "2026-05-11T14:13:26.060000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 96, "domain": 145, "URL": 124 }, "indicator_count": 370, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a00928de04e9ba4cac1d6eb", "name": "Botnet_C2 | May 11, 2026", "description": "Botnet_C2 indicators. Date: May 11, 2026. Total: 861 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-10T14:13:33.465000", "created": "2026-05-10T14:13:33.465000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 133, "hostname": 112, "domain": 125 }, "indicator_count": 375, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ff40f444f57576283e05ff", "name": "Botnet_C2 | May 10, 2026", "description": "Botnet_C2 indicators. Date: May 10, 2026. Total: 850 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-09T14:13:08.467000", "created": "2026-05-09T14:13:08.467000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 130, "hostname": 126, "domain": 107 }, "indicator_count": 368, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fe029a3de469984c8f9218", "name": "Unknown Clipper", "description": "During investigation of a ClearFake attack chain an unknown Clipper malware was spotted. It makes use of Etherhiding to load its C2 from the BSC Testnet.\nAll domains in this Pusle have been extracted from contracts related to the Wallet creating the Clipper C2 contract. It is unsure if this actor used Etherhiding uniquely for Clipper activity, so it can not be ruled out that these domains serve other malicious purposes.", "modified": "2026-05-08T15:34:50.697000", "created": "2026-05-08T15:34:50.697000", "tags": [ "Clipper", "Etherhiding", "ClearFake" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fe02960432b2cc12530282", "name": "Unknown Clipper", "description": "During investigation of a ClearFake attack chain an unknown Clipper malware was spotted. It makes use of Etherhiding to load its C2 from the BSC Testnet.\nAll domains in this Pusle have been extracted from contracts related to the Wallet creating the Clipper C2 contract. It is unsure if this actor used Etherhiding uniquely for Clipper activity, so it can not be ruled out that these domains serve other malicious purposes.", "modified": "2026-05-08T15:34:46.350000", "created": "2026-05-08T15:34:46.350000", "tags": [ "Clipper", "Etherhiding", "ClearFake" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fast-node.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fast-node.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180146.4607813 }