{ "type": "Domain", "indicator": "fe01.co.kr", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fe01.co.kr", "alexa": "http://www.alexa.com/siteinfo/fe01.co.kr", "indicator": "fe01.co.kr", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4355556079, "indicator": "fe01.co.kr", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6a04a9a090a64de310cb0568", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.", "modified": "2026-05-14T08:36:05.694000", "created": "2026-05-13T16:41:04.367000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386485, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a551635dbbeed40b21cd", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-15T04:47:13.553000", "created": "2026-05-15T04:47:13.553000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": "6a04a9a090a64de310cb0568", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a54fa41ca0f2894e09e0", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-15T04:47:11.556000", "created": "2026-05-15T04:47:11.556000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": "6a04a9a090a64de310cb0568", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a048d03417ba877dc0a4e1d", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-13T14:38:59.926000", "created": "2026-05-13T14:38:59.926000", "tags": [ "c2 server", "lnk file", "figure", "north korea", "python bytecode", "compiled python", "python", "apt37 group", "python runtime", "offset", "powershell", "april", "initial access", "attack", "execution", "first", "code", "cookie", "path", "trojan", "malicious", "friday" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "CVE": 1, "FileHash-MD5": 11, "URL": 1, "domain": 18, "email": 1, "hostname": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03de9538db814b3312ef89", "name": "IOC - Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware.\nThis threat is distributed through email-based spear phishing in the form of ZIP-compressed files and begins by inducing the user to execute an LNK shortcut file contained inside. When the user runs the file, the actual command is reconstructed through an environment variable-based substring expansion technique, after which additional payloads are downloaded and executed sequentially.", "modified": "2026-05-13T02:14:45.584000", "created": "2026-05-13T02:14:45.584000", "tags": [], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 11, "domain": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02da5139868596248b6e77", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-12T07:44:17.728000", "created": "2026-05-12T07:44:17.728000", "tags": [ "c2 server", "lnk file", "figure", "north korea", "python bytecode", "compiled python", "python", "apt37 group", "python runtime", "offset", "powershell", "april", "initial access", "attack", "execution", "first", "code", "cookie", "path", "trojan", "malicious", "friday" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "CVE": 1, "FileHash-MD5": 11, "URL": 1, "domain": 18, "email": 1, "hostname": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.csv", "https://www.genians.co.kr/en/blog/threat_intelligence/python", "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "related": { "alienvault": { "adversary": [ "APT37" ], "malware_families": [ "Chinotto" ], "industries": [ "Government", "Defense" ] }, "other": { "adversary": [ "APT37", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Chinotto" ], "industries": [ "Government", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6a04a9a090a64de310cb0568", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "A sophisticated campaign linked to APT37 delivers Python-based backdoors through spear-phishing emails containing malicious LNK files disguised as legitimate documents. Attackers use themes including airline e-tickets, North Korea research invitations, and impersonation of defense and police officials to induce execution. The LNK files employ environment variable-based obfuscation techniques to download additional BAT files, which establish a Python runtime environment and execute compiled Python bytecode disguised with .cat extensions. The malware functions as a remote command execution backdoor, communicating with C2 servers to receive commands and exfiltrate results. Persistence is maintained through scheduled tasks executing at one-minute intervals. The campaign shows strong tactical similarities to previous APT37 operations, including infrastructure patterns, script obfuscation methods, and the abuse of legitimate tools.", "modified": "2026-05-14T08:36:05.694000", "created": "2026-05-13T16:41:04.367000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386485, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a551635dbbeed40b21cd", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-15T04:47:13.553000", "created": "2026-05-15T04:47:13.553000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": "6a04a9a090a64de310cb0568", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06a54fa41ca0f2894e09e0", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-15T04:47:11.556000", "created": "2026-05-15T04:47:11.556000", "tags": [ "compiled python bytecode", "apt37", "environment variable obfuscation", "chinotto", "deepfake impersonation", "python backdoor", "spear-phishing", "scheduled tasks persistence", "lnk file" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [ { "id": "Chinotto", "display_name": "Chinotto", "target": null } ], "attack_ids": [], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": "6a04a9a090a64de310cb0568", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 6, "CVE": 1, "FileHash-MD5": 11, "domain": 18 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a048d03417ba877dc0a4e1d", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-13T14:38:59.926000", "created": "2026-05-13T14:38:59.926000", "tags": [ "c2 server", "lnk file", "figure", "north korea", "python bytecode", "compiled python", "python", "apt37 group", "python runtime", "offset", "powershell", "april", "initial access", "attack", "execution", "first", "code", "cookie", "path", "trojan", "malicious", "friday" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "CVE": 1, "FileHash-MD5": 11, "URL": 1, "domain": 18, "email": 1, "hostname": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03de9538db814b3312ef89", "name": "IOC - Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware.\nThis threat is distributed through email-based spear phishing in the form of ZIP-compressed files and begins by inducing the user to execute an LNK shortcut file contained inside. When the user runs the file, the actual command is reconstructed through an environment variable-based substring expansion technique, after which additional payloads are downloaded and executed sequentially.", "modified": "2026-05-13T02:14:45.584000", "created": "2026-05-13T02:14:45.584000", "tags": [], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 11, "domain": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02da5139868596248b6e77", "name": "Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign", "description": "", "modified": "2026-05-12T07:44:17.728000", "created": "2026-05-12T07:44:17.728000", "tags": [ "c2 server", "lnk file", "figure", "north korea", "python bytecode", "compiled python", "python", "apt37 group", "python runtime", "offset", "powershell", "april", "initial access", "attack", "execution", "first", "code", "cookie", "path", "trojan", "malicious", "friday" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/python" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 7, "CVE": 1, "FileHash-MD5": 11, "URL": 1, "domain": 18, "email": 1, "hostname": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fe01.co.kr", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fe01.co.kr", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206478.743259 }