{ "type": "Domain", "indicator": "fessionalwork.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fessionalwork.com", "alexa": "http://www.alexa.com/siteinfo/fessionalwork.com", "indicator": "fessionalwork.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3366359500, "indicator": "fessionalwork.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "68d56db8ea32a255b0de8822", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications data from telecom providers and critical infrastructure sectors. The group operates with MSS oversight and support from pseudo-private contractors, using front companies to obscure attribution. Salt Typhoon's campaigns utilize bespoke malware, living-off-the-land binaries, and stealthy router implants, with a targeting profile spanning the U.S., U.K., Taiwan, and EU. Their operations are notable for using publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.", "modified": "2025-09-25T19:09:29.549000", "created": "2025-09-25T16:28:40.891000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 377721, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bef37d948f9f130f1cbecc", "name": "Significant Risk and Proactive Defense", "description": "A comprehensive analysis reveals a substantial threat posed by domains linked to Salt Typhoon and UNC4841, likely China-associated cyberespionage actors. The investigation uncovered a larger network of domain names beyond those publicly known, indicating a pattern of long-term access and sophisticated operations. A recent breach of a U.S. telecommunications provider, discovered a year after the fact, underscores the persistent nature of these threats. Organizations potentially at risk of Chinese espionage are strongly advised to scrutinize their DNS logs for the past five years, checking for requests to listed domains, subdomains, and associated IP addresses. Ongoing monitoring and information sharing are crucial in defending against this evolving threat landscape.", "modified": "2025-09-08T15:19:36.403000", "created": "2025-09-08T15:17:17.853000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 63194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 377723, "modified_text": "223 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64edfc5ab93abb1407070292", "name": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)", "description": "UNC4841 has continued to show sophistication and adaptability in response to remediation efforts. Specifically, UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda\u2019s remediation guidance.", "modified": "2023-09-28T14:00:22.225000", "created": "2023-08-29T14:10:33.719000", "tags": [ "unc4841", "depthcharge", "foxtrot", "barracuda", "foxglove", "skipjack", "cve20232868", "ghostemperor", "unc3886", "castletap", "driedmoat" ], "references": [ "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" ], "public": 1, "adversary": "UNC4841", "targeted_countries": [ "China", "Taiwan", "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "UNC3886", "display_name": "UNC3886", "target": null }, { "id": "CASTLETAP", "display_name": "CASTLETAP", "target": null }, { "id": "DRIEDMOAT", "display_name": "DRIEDMOAT", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "DEPTHCHARGE", "display_name": "DEPTHCHARGE", "target": null }, { "id": "SKIPJACK", "display_name": "SKIPJACK", "target": null }, { "id": "FOXGLOVE", "display_name": "FOXGLOVE", "target": null }, { "id": "FOXTROT", "display_name": "FOXTROT", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Information Technology", "High Tech", "Foreign", "Aerospace", "Technology", "Telecommunications", "Manufacturing", "Healthcare", "Biotechnology", "Defense", "Foreign Affairs", "Trade", "Semiconductor" ], "TLP": "white", "cloned_from": null, "export_count": 399, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 120, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "YARA": 4, "domain": 8, "hostname": 2 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 377721, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-20T01:32:33.227000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 509578, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48213, "domain": 72685 }, "indicator_count": 120898, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6872000, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a9a77a47c528558c8ef", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:48:26.770000", "created": "2026-01-21T04:48:26.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a66c4042524a1ef26a8", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:34.615000", "created": "2026-01-21T04:47:34.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a57b1aa54d1ca1e9777", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:19.388000", "created": "2026-01-21T04:47:19.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a330e5bb8fbd2e958ff", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:43.394000", "created": "2026-01-21T04:46:43.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a308ae683c590bcbe71", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.973000", "created": "2026-01-21T04:46:40.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a3056e76df0e220c4d2", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.172000", "created": "2026-01-21T04:46:40.172000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dcfe617051963f6fa4a7e3", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-10-31T10:03:43.999000", "created": "2025-10-01T10:11:45.879000", "tags": [], "references": [ "Sep week4.pdf" ], "public": 1, "adversary": "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 97, "FileHash-MD5": 95, "FileHash-SHA1": 117, "FileHash-SHA256": 105, "CVE": 5, "URL": 21, "hostname": 50, "email": 2 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dae3af2eff735b92c27326", "name": "Inside Salt Typhoon: Chinas State-Corporate Advanced Persistent Threat.", "description": "A report on China\u2019s state-sponsored advanced persistent threat (APT) group Salt Typhoon, published by the International Institute for Strategic Studies (IISS), outlines its capabilities and strategy.", "modified": "2025-10-29T19:00:25.553000", "created": "2025-09-29T19:53:19.210000", "tags": [ "salt typhoon", "china", "ministry", "typhoon", "state security", "sigint", "justice", "department", "miami", "voip", "august", "known" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/" ], "public": 1, "adversary": "Known", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Telecommunications", "Telecom", "Defense", "Critical Infrastructure", "Foreign", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 36, "hostname": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ca542a70d6b89d74e7610c", "name": "aasdd", "description": "The following is a full list of up-to-dateupdata, which has been compiled by the British Library and the Association of Chartered Surveyors (BSPs) for the past 20 years.", "modified": "2025-10-17T06:04:52.323000", "created": "2025-09-17T06:24:42.069000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "domain": 45, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c990a9255b06d5e0a85", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:09.365000", "created": "2025-09-29T06:52:09.365000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "203 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c9804b67e35d4e82fc0", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:52:08.360000", "created": "2025-09-29T06:52:08.360000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "203 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68da2c8eb85bd3f8ae4b647c", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-29T06:51:58.340000", "created": "2025-09-29T06:51:58.340000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "203 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d63d2a6c32057604d3d1b3", "name": "IOC - Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "", "modified": "2025-09-26T07:13:46.453000", "created": "2025-09-26T07:13:46.453000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "Salt Typhoon", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": "68d56db8ea32a255b0de8822", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 121, "modified_text": "206 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c25b29cb401c32731b9035", "name": "\"Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data \"", "description": "", "modified": "2025-09-11T05:16:25.087000", "created": "2025-09-11T05:16:25.087000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": "68bef37d948f9f130f1cbecc", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654c34e7efa40976a9dd655b", "name": "SOC2023", "description": "", "modified": "2025-08-17T17:03:38.868000", "created": "2023-11-09T01:24:55.160000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65491efbfc3d9479076431bb", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1714, "FileHash-MD5": 3448, "URL": 727, "hostname": 912, "FileHash-SHA256": 4539, "FileHash-SHA1": 2696, "IPv4": 276, "CIDR": 10, "email": 28 }, "indicator_count": 14350, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246da161670e959a9eec", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:29.608000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246c8bf7850b5096828e", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:28.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6765eebf9ec06704f3a6ea68", "name": "CLON IPIF", "description": "", "modified": "2025-01-09T23:04:00.232000", "created": "2024-12-20T22:25:03.407000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2031, "FileHash-MD5": 4171, "URL": 1324, "hostname": 1222, "FileHash-SHA256": 5634, "FileHash-SHA1": 3368, "IPv4": 189, "CIDR": 6, "email": 162 }, "indicator_count": 18107, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758ebc2472100ac75acad69", "name": "2024-DIC-10-Clon", "description": "", "modified": "2025-01-09T23:04:00.232000", "created": "2024-12-11T01:32:50.260000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2030, "FileHash-MD5": 4171, "URL": 1324, "hostname": 1222, "FileHash-SHA256": 5634, "FileHash-SHA1": 3368, "IPv4": 189, "CIDR": 6, "email": 162 }, "indicator_count": 18106, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6732a0b6cc4c5356a823de37", "name": "_CLON_2024_NOV11", "description": "", "modified": "2024-12-11T00:00:21.805000", "created": "2024-11-12T00:26:30.524000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1795, "FileHash-MD5": 3724, "URL": 1028, "hostname": 1096, "FileHash-SHA256": 5030, "FileHash-SHA1": 2927, "IPv4": 189, "CIDR": 6, "email": 28 }, "indicator_count": 15823, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fc23e4c36f0715310e1d95", "name": "SOC_BLOCK_NEW", "description": "", "modified": "2024-03-21T12:11:41.190000", "created": "2024-03-21T12:11:16.345000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 275, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fencesense", "id": "255590", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1715, "FileHash-MD5": 3498, "URL": 729, "hostname": 911, "FileHash-SHA256": 4590, "FileHash-SHA1": 2746, "IPv4": 189, "CIDR": 6, "email": 28 }, "indicator_count": 14412, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "760 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a9b042961d3e7a6a564d", "name": "bkp16oct", "description": "", "modified": "2023-12-06T17:04:48.880000", "created": "2023-12-06T17:04:48.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1390, "FileHash-SHA256": 3099, "hostname": 769, "FileHash-MD5": 2353, "FileHash-SHA1": 1624, "URL": 590, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 10007, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a8b5cae685fce7f5231f", "name": "bkp oct 10", "description": "", "modified": "2023-12-06T17:00:37.687000", "created": "2023-12-06T17:00:37.687000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1376, "FileHash-SHA256": 3065, "hostname": 768, "FileHash-MD5": 2320, "FileHash-SHA1": 1591, "URL": 589, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7d02c5746343283fc12", "name": "bkp5o23", "description": "", "modified": "2023-12-06T16:56:48.472000", "created": "2023-12-06T16:56:48.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1365, "FileHash-SHA256": 3021, "hostname": 764, "FileHash-MD5": 2278, "FileHash-SHA1": 1539, "URL": 589, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 9738, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7aaee2e95f7517277d3", "name": "bkp03test", "description": "", "modified": "2023-12-06T16:56:10.492000", "created": "2023-12-06T16:56:10.492000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1362, "FileHash-SHA256": 2891, "hostname": 755, "FileHash-MD5": 2159, "FileHash-SHA1": 1420, "URL": 589, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9356, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7a346ec10c12d5b15b5", "name": "BKPo3", "description": "", "modified": "2023-12-06T16:56:03.381000", "created": "2023-12-06T16:56:03.381000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1362, "FileHash-SHA256": 2891, "hostname": 755, "FileHash-MD5": 2159, "FileHash-SHA1": 1420, "URL": 589, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9356, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a602c1e9c47280c247e4", "name": "SOC2023", "description": "", "modified": "2023-12-06T16:49:06.159000", "created": "2023-12-06T16:49:06.159000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1420, "FileHash-SHA256": 3123, "hostname": 769, "FileHash-MD5": 2379, "FileHash-SHA1": 1642, "URL": 590, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 10105, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a5f81702fdce6c496a1c", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:48:56.950000", "created": "2023-12-06T16:48:56.950000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a5a5f6bf793f823e6397", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:47:33.032000", "created": "2023-12-06T16:47:33.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657093164553ecf08ba4a8bd", "name": "SOC2022ALL", "description": "", "modified": "2023-12-06T15:28:22.905000", "created": "2023-12-06T15:28:22.905000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6346ee707f119521a426ecc9", "name": "SOC2022ALL", "description": "DD", "modified": "2023-10-21T14:02:41.990000", "created": "2022-10-12T16:42:24.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16454, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1490, "FileHash-MD5": 2606, "URL": 611, "hostname": 831, "FileHash-SHA256": 3518, "FileHash-SHA1": 1794, "IPv4": 187, "CIDR": 6, "email": 26 }, "indicator_count": 11069, "is_author": false, "is_subscribing": null, "subscriber_count": 102, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f089a1db3faccfc533cbff", "name": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant", "description": "Mandiant is the world's leading provider of threat intelligence and incident response services, with products, services and resources designed to help businesses and government agencies defend against cyber crime and threats from cyber criminals.", "modified": "2023-09-30T12:01:18.504000", "created": "2023-08-31T12:37:53.769000", "tags": [ "unc4841", "mandiant", "depthcharge", "foxtrot", "barracuda", "foxglove", "barracuda esg", "skipjack", "cve20232868", "june", "february", "ghostemperor", "reptile", "base64", "unc3886", "castletap", "driedmoat" ], "references": [ "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "Taiwan", "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "UNC3886", "display_name": "UNC3886", "target": null }, { "id": "CASTLETAP", "display_name": "CASTLETAP", "target": null }, { "id": "DRIEDMOAT", "display_name": "DRIEDMOAT", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "DEPTHCHARGE", "display_name": "DEPTHCHARGE", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Information Technology", "High Tech", "Foreign", "Aerospace", "Technology", "Telecommunications", "Manufacturing", "Healthcare", "Biotechnology", "Defense", "Foreign Affairs", "Trade", "Semiconductor" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 121, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "YARA": 4, "domain": 8, "hostname": 3 }, "indicator_count": 177, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f025da85fd3c8ea2f0fa27", "name": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)", "description": "", "modified": "2023-09-28T14:00:22.225000", "created": "2023-08-31T05:32:10.946000", "tags": [ "unc4841", "depthcharge", "foxtrot", "barracuda", "foxglove", "skipjack", "cve20232868", "ghostemperor", "unc3886", "castletap", "driedmoat" ], "references": [ "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" ], "public": 1, "adversary": "UNC4841", "targeted_countries": [ "China", "Taiwan", "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "UNC3886", "display_name": "UNC3886", "target": null }, { "id": "CASTLETAP", "display_name": "CASTLETAP", "target": null }, { "id": "DRIEDMOAT", "display_name": "DRIEDMOAT", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "DEPTHCHARGE", "display_name": "DEPTHCHARGE", "target": null }, { "id": "SKIPJACK", "display_name": "SKIPJACK", "target": null }, { "id": "FOXGLOVE", "display_name": "FOXGLOVE", "target": null }, { "id": "FOXTROT", "display_name": "FOXTROT", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Information Technology", "High Tech", "Foreign", "Aerospace", "Technology", "Telecommunications", "Manufacturing", "Healthcare", "Biotechnology", "Defense", "Foreign Affairs", "Trade", "Semiconductor" ], "TLP": "white", "cloned_from": "64f0100c80f7e6493dd56daf", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 120, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "YARA": 4, "domain": 8, "hostname": 2 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f0100c80f7e6493dd56daf", "name": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)", "description": "", "modified": "2023-09-28T14:00:22.225000", "created": "2023-08-31T03:59:08.759000", "tags": [ "unc4841", "depthcharge", "foxtrot", "barracuda", "foxglove", "skipjack", "cve20232868", "ghostemperor", "unc3886", "castletap", "driedmoat" ], "references": [ "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" ], "public": 1, "adversary": "UNC4841", "targeted_countries": [ "China", "Taiwan", "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "UNC3886", "display_name": "UNC3886", "target": null }, { "id": "CASTLETAP", "display_name": "CASTLETAP", "target": null }, { "id": "DRIEDMOAT", "display_name": "DRIEDMOAT", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "DEPTHCHARGE", "display_name": "DEPTHCHARGE", "target": null }, { "id": "SKIPJACK", "display_name": "SKIPJACK", "target": null }, { "id": "FOXGLOVE", "display_name": "FOXGLOVE", "target": null }, { "id": "FOXTROT", "display_name": "FOXTROT", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Information Technology", "High Tech", "Foreign", "Aerospace", "Technology", "Telecommunications", "Manufacturing", "Healthcare", "Biotechnology", "Defense", "Foreign Affairs", "Trade", "Semiconductor" ], "TLP": "white", "cloned_from": "64edfc5ab93abb1407070292", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 120, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "YARA": 4, "domain": 8, "hostname": 2 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ec3691ba8ffb01f4b54bfe", "name": "Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability", "description": "", "modified": "2023-09-24T07:00:54.802000", "created": "2023-08-28T05:54:25.114000", "tags": [ "CVE-2023-2868", "ESG", "PRC cyber actors", "data exfiltration", "credential harvesting", "email scanning,", "persistent access", "SUBMARINE", "WHIRLPOOL", "SEASPY" ], "references": [ "https://www.ic3.gov/Media/News/2023/230823.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64e85599afbecba4a3b09b3e", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 7 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e85599afbecba4a3b09b3e", "name": "Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability", "description": "As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day\nvulnerability in Barracuda Network\u2019s Email Security Gateway (ESG) appliances, the FBI has\nindependently verified that all exploited ESG appliances, even those with patches pushed out\nby Barracuda, remain at risk for continued computer network compromise from suspected PRC\ncyber actors exploiting this vulnerability", "modified": "2023-09-24T07:00:54.802000", "created": "2023-08-25T07:17:45.287000", "tags": [ "CVE-2023-2868", "ESG", "PRC cyber actors", "data exfiltration", "credential harvesting", "email scanning,", "persistent access", "SUBMARINE", "WHIRLPOOL", "SEASPY" ], "references": [ "https://www.ic3.gov/Media/News/2023/230823.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 7 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ec44bd531914683f1a0d2a", "name": "Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda (@Tra1sa111) ", "description": "", "modified": "2023-09-24T07:00:54.802000", "created": "2023-08-28T06:54:53.114000", "tags": [ "CVE-2023-2868", "ESG", "PRC cyber actors", "data exfiltration", "credential harvesting", "email scanning,", "persistent access", "SUBMARINE", "WHIRLPOOL", "SEASPY" ], "references": [ "https://www.ic3.gov/Media/News/2023/230823.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "64ec3691ba8ffb01f4b54bfe", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 7 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64cb8b69b908aebe22e27b8b", "name": "SUBMARINE backdoor", "description": "The CISA shared details about three backdoor malware variants that were used to abuse Barracuda ESG appliances, including a new persistent backdoor dubbed SUBMARINE. The malware were deployed by threat actors who exploited a critical RCE flaw (CVE-2023-2868) in ESG devices as zero-day last year. The China-based actor tracked as UNC4841 could be behind the attack, opined experts. The attackers utilized phishing emails with booby-trapped TAR file attachments to gain initial access and implant backdoors for persistence.", "modified": "2023-09-02T11:02:24.717000", "created": "2023-08-03T11:11:37.991000", "tags": [ "md5 hash", "domain" ], "references": [ "SUBMARINE backdoor IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ASQ505sa", "id": "217420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 14, "FileHash-SHA256": 14, "domain": 8 }, "indicator_count": 109, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "961 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6493880df550dfa06eb8290c", "name": "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by threat actor UNC2529", "description": "", "modified": "2023-07-21T23:04:31.937000", "created": "2023-06-21T23:30:21.181000", "tags": [ "OSINT", "CVE-2023-2868", "Barracuda", "RCE", "Exploit", "Vulnerability" ], "references": [ "https://community.riskiq.com/article/f15e2c46" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 2, "domain": 8, "FileHash-SHA256": 2 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 1604, "modified_text": "1003 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "648c21c01d8b78d4da9a4fc8", "name": "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant", "description": "Mandiant, the world's leading cyber security provider, has announced that it is expanding its services and offering products and services to help companies and governments defend against cyber crime. and other cyber threats.", "modified": "2023-07-16T08:01:59.875000", "created": "2023-06-16T08:48:00.230000", "tags": [ "whirlpool", "seaspy", "unc4841", "mandiant", "barracuda", "cve20232868", "barracuda esg", "esgip", "seaspray", "base64", "download", "june", "python", "team" ], "references": [ "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "SEASPY", "display_name": "SEASPY", "target": null }, { "id": "WHIRLPOOL", "display_name": "WHIRLPOOL", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [ "Trade", "Foreign", "Foreign Affairs", "Academics", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 76, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "URL": 5, "YARA": 9, "domain": 8 }, "indicator_count": 123, "is_author": false, "is_subscribing": null, "subscriber_count": 849, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "648c09454c6a8d654d136228", "name": "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China", "description": "", "modified": "2023-07-15T19:00:06.454000", "created": "2023-06-16T07:03:33.908000", "tags": [ "CVE-2023-2868", "Barracuda", "Phishing", "WHIRLPOOL", "C programming language", "SEASPRAY", "SANDBAR", "SEASIDE" ], "references": [ "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "white", "cloned_from": "648bf96b54c25e391b14810f", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "YARA": 9, "domain": 8 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", ".ICE-unix", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "tmp.ziktUZeKXL", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "tst-bz26353KOtJVp", "plasma-csd-generator.LTvjbT", "@tmp", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "tmp.D4NXyZ3U4J", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "strlcpydb8x03.c", ".org.chromium.Chromium.8GBhMA", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", "qtsingleapp-Notifi-4c42-3e8", "qtsingleapp-Octopi-1d88-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", ".vbox-mrkd-ipc", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "albert_yt_ynb2tftv", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "pytest-of-mrkd", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "stdbool.hcc0B2j.c", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "fish.root", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "20230816_202710-scantemp.b14ff4bc3a", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "stdbool.ht64kj6qw.c", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "Sep week4.pdf", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "v8-compile-cache-1000", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", ".org.chromium.Chromium.12ZdF3", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "qtsingleapp-Octopi-1d88-3e8", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "https://www.silentpush.com/blog/salt-typhoon-2025/", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "https://www.ic3.gov/Media/News/2023/230823.pdf", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "https://community.riskiq.com/article/f15e2c46", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", ".org.chromium.Chromium.coQnti", ".org.chromium.Chromium.HMzFxo", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "SUBMARINE backdoor IOCs.csv", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", ".org.chromium.Chromium.T2jdbS", "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", "tmp90lfbdek", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "v8-compile-cache-0", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "strlcatmMvE1V.c", "runtime-root", "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "Sep week2.pdf", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", ".X0-lock", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", ".X11-unix" ], "related": { "alienvault": { "adversary": [ "GhostEmperor", "UNC4841", "Salt Typhoon, UNC4841" ], "malware_families": [ "Foxglove", "Depthcharge", "Skipjack", "Unc3886", "Reptile", "Castletap", "Foxtrot", "Base64", "Driedmoat" ], "industries": [ "Aerospace", "Government", "Information technology", "Technology", "Biotechnology", "Foreign", "Trade", "Semiconductor", "Foreign affairs", "Energy", "High tech", "Healthcare", "Manufacturing", "Telecommunications", "Defense" ] }, "other": { "adversary": [ "Known", "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "N/A", "UNC4841", "Salt Typhoon", "Salt Typhoon, UNC4841", "Multiple" ], "malware_families": [ "Backdoor:win32/r2d2.a", "Netexecutablemicrosoft", "Skipjack", "Whirlpool", "Trojandownloader:linux/morila!mtb", "Foxtrot", "Reptile", "Slf:mamacsemacro.a", "Sf:shellcode-dz\\ [trj]", "Trojandropper:win32/fakeflexnet.a", "Foxglove", "Ransom:linux/darkradiation.a!mtb", "Bv:telegrambot-a\\ [trj]", "Seaspy", "Base64", "Depthcharge", "Unc3886", "Castletap", "Delphi", "Driedmoat" ], "industries": [ "Information technology", "Academics", "Individuals", "Aerospace", "Biotechnology", "Trade", "High tech", "Telecommunications", "Healthcare", "Government", "Foreign", "Foreign affairs", "Manufacturing", "Critical infrastructure", "Defense", "Technology", "Semiconductor", "Energy", "Telecom", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "68d56db8ea32a255b0de8822", "name": "Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat", "description": "Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications data from telecom providers and critical infrastructure sectors. The group operates with MSS oversight and support from pseudo-private contractors, using front companies to obscure attribution. Salt Typhoon's campaigns utilize bespoke malware, living-off-the-land binaries, and stealthy router implants, with a targeting profile spanning the U.S., U.K., Taiwan, and EU. Their operations are notable for using publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.", "modified": "2025-09-25T19:09:29.549000", "created": "2025-09-25T16:28:40.891000", "tags": [ "cve-2024-3400", "long-term persistence", "china chopper", "infrastructure targeting", "demodex", "advanced persistent threat", "cve-2023-20198", "ministry of state security", "sigrouter", "telecommunications", "china", "cve-2023-35082", "contractor ecosystem", "cyber espionage" ], "references": [ "https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "United States of America", "Taiwan", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1601.002", "name": "Downgrade System Image", "display_name": "T1601.002 - Downgrade System Image" } ], "industries": [ "Telecommunications", "Defense", "Government", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "domain": 37, "hostname": 6 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 377721, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bef37d948f9f130f1cbecc", "name": "Significant Risk and Proactive Defense", "description": "A comprehensive analysis reveals a substantial threat posed by domains linked to Salt Typhoon and UNC4841, likely China-associated cyberespionage actors. The investigation uncovered a larger network of domain names beyond those publicly known, indicating a pattern of long-term access and sophisticated operations. A recent breach of a U.S. telecommunications provider, discovered a year after the fact, underscores the persistent nature of these threats. Organizations potentially at risk of Chinese espionage are strongly advised to scrutinize their DNS logs for the past five years, checking for requests to listed domains, subdomains, and associated IP addresses. Ongoing monitoring and information sharing are crucial in defending against this evolving threat landscape.", "modified": "2025-09-08T15:19:36.403000", "created": "2025-09-08T15:17:17.853000", "tags": [ "telecommunications", "persistent threat", "domain infrastructure", "long-term access", "cyberespionage" ], "references": [ "https://www.silentpush.com/blog/salt-typhoon-2025/" ], "public": 1, "adversary": "Salt Typhoon, UNC4841", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1590.001", "name": "Domain Properties", "display_name": "T1590.001 - Domain Properties" } ], "industries": [ "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 63194, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 45, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 377723, "modified_text": "223 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64edfc5ab93abb1407070292", "name": "Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)", "description": "UNC4841 has continued to show sophistication and adaptability in response to remediation efforts. Specifically, UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda\u2019s remediation guidance.", "modified": "2023-09-28T14:00:22.225000", "created": "2023-08-29T14:10:33.719000", "tags": [ "unc4841", "depthcharge", "foxtrot", "barracuda", "foxglove", "skipjack", "cve20232868", "ghostemperor", "unc3886", "castletap", "driedmoat" ], "references": [ "https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" ], "public": 1, "adversary": "UNC4841", "targeted_countries": [ "China", "Taiwan", "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "UNC3886", "display_name": "UNC3886", "target": null }, { "id": "CASTLETAP", "display_name": "CASTLETAP", "target": null }, { "id": "DRIEDMOAT", "display_name": "DRIEDMOAT", "target": null }, { "id": "REPTILE", "display_name": "REPTILE", "target": null }, { "id": "DEPTHCHARGE", "display_name": "DEPTHCHARGE", "target": null }, { "id": "SKIPJACK", "display_name": "SKIPJACK", "target": null }, { "id": "FOXGLOVE", "display_name": "FOXGLOVE", "target": null }, { "id": "FOXTROT", "display_name": "FOXTROT", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Government", "Information Technology", "High Tech", "Foreign", "Aerospace", "Technology", "Telecommunications", "Manufacturing", "Healthcare", "Biotechnology", "Defense", "Foreign Affairs", "Trade", "Semiconductor" ], "TLP": "white", "cloned_from": null, "export_count": 399, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 120, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "YARA": 4, "domain": 8, "hostname": 2 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 377721, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-04-20T01:32:33.227000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 509578, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48213, "domain": 72685 }, "indicator_count": 120898, "is_author": false, "is_subscribing": null, "subscriber_count": 1699, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6872000, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a9a77a47c528558c8ef", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:48:26.770000", "created": "2026-01-21T04:48:26.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a66c4042524a1ef26a8", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:34.615000", "created": "2026-01-21T04:47:34.615000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a57b1aa54d1ca1e9777", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:47:19.388000", "created": "2026-01-21T04:47:19.388000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a330e5bb8fbd2e958ff", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:43.394000", "created": "2026-01-21T04:46:43.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69705a308ae683c590bcbe71", "name": "malwarebad.txt", "description": "", "modified": "2026-01-21T04:46:40.973000", "created": "2026-01-21T04:46:40.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1852d337eca8e99c2ec32", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RussianMob", "id": "378536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48106, "domain": 72668 }, "indicator_count": 120774, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fessionalwork.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fessionalwork.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776692188.7740185 }