{ "type": "Domain", "indicator": "faster.mo", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/faster.mo", "alexa": "http://www.alexa.com/siteinfo/faster.mo", "indicator": "faster.mo", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3989903734, "indicator": "faster.mo", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68a5a893d0e6cf5fee6c45a2", "name": "CryptoJacking is dead: long live CryptoJacking", "description": "The article discusses the evolution of cryptojacking, from its rise with Coinhive in 2017 to its apparent decline and subsequent resurgence in a more sophisticated form. A new campaign was discovered involving over 3,500 infected websites, using stealthy techniques to mine cryptocurrency without detection. The modern approach involves dropper scripts, environment checks, worker spawning, and C2 communication, prioritizing stealth over resource consumption. This new wave of cryptojacking attacks demonstrates the ongoing cat-and-mouse game between attackers and security measures, highlighting the need for continued vigilance in cybersecurity.", "modified": "2025-08-20T11:54:04.500000", "created": "2025-08-20T10:50:59.016000", "tags": [ "cryptojacking", "webassembly", "monero", "stealth mining", "web workers", "obfuscation", "websockets" ], "references": [ "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687e19249450e8925c4514e2", "name": "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking", "description": "", "modified": "2025-08-20T09:02:47.670000", "created": "2025-07-21T10:40:36.057000", "tags": [ "blog", "c/side", "client-side", "web", "development", "client/side", "cyber", "cyber security", "security", "pci dss v4", "magecart", "supply chain attack", "browser attack", "formjacking", "website vulnerability scanner", "data breaches", "credit card skimmer", "content security policies", "tag manager", "browser side script", "javascript security", "coinhive", "monero miner", "monero", "chrome", "firefox", "tuesday", "javascript file", "tutorialwe", "html page", "policy", "insert" ], "references": [ "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6705d4e57cd73602d02d7d41", "name": "AS197540 netcup gmbh", "description": "", "modified": "2024-11-08T00:03:35.782000", "created": "2024-10-09T00:57:09.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 910, "domain": 399, "hostname": 495 }, "indicator_count": 1804, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68a5a893d0e6cf5fee6c45a2", "name": "CryptoJacking is dead: long live CryptoJacking", "description": "The article discusses the evolution of cryptojacking, from its rise with Coinhive in 2017 to its apparent decline and subsequent resurgence in a more sophisticated form. A new campaign was discovered involving over 3,500 infected websites, using stealthy techniques to mine cryptocurrency without detection. The modern approach involves dropper scripts, environment checks, worker spawning, and C2 communication, prioritizing stealth over resource consumption. This new wave of cryptojacking attacks demonstrates the ongoing cat-and-mouse game between attackers and security measures, highlighting the need for continued vigilance in cybersecurity.", "modified": "2025-08-20T11:54:04.500000", "created": "2025-08-20T10:50:59.016000", "tags": [ "cryptojacking", "webassembly", "monero", "stealth mining", "web workers", "obfuscation", "websockets" ], "references": [ "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687e19249450e8925c4514e2", "name": "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking", "description": "", "modified": "2025-08-20T09:02:47.670000", "created": "2025-07-21T10:40:36.057000", "tags": [ "blog", "c/side", "client-side", "web", "development", "client/side", "cyber", "cyber security", "security", "pci dss v4", "magecart", "supply chain attack", "browser attack", "formjacking", "website vulnerability scanner", "data breaches", "credit card skimmer", "content security policies", "tag manager", "browser side script", "javascript security", "coinhive", "monero miner", "monero", "chrome", "firefox", "tuesday", "javascript file", "tutorialwe", "html page", "policy", "insert" ], "references": [ "https://cside.dev/blog/cryptojacking-is-dead-long-live-cryptojacking" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 4, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6705d4e57cd73602d02d7d41", "name": "AS197540 netcup gmbh", "description": "", "modified": "2024-11-08T00:03:35.782000", "created": "2024-10-09T00:57:09.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 910, "domain": 399, "hostname": 495 }, "indicator_count": 1804, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "569 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "faster.mo", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "faster.mo", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780271492.7744293 }