{ "type": "Domain", "indicator": "finalshell-ssh.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/finalshell-ssh.com", "alexa": "http://www.alexa.com/siteinfo/finalshell-ssh.com", "indicator": "finalshell-ssh.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4133391284, "indicator": "finalshell-ssh.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e58aaa3b2b96ee8a9fee13", "name": "IOC - Multi-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers with Kong RAT", "description": "In March 2026, eSentire's Threat Response Unit detected a sophisticated multi-stage malware campaign targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning. Victims searching for popular Chinese developer tools including FinalShell SSH client, Xshell, QuickQ VPN, and Clash proxy, were redirected to convincing lookalike domains that delivered trojanized installers. TRU is tracking this threat as Kong RAT, named for its consistent use of the string \"Kong\" across registry keys/file paths used by the malware. The campaign's infrastructure consists of a network of spoofed Chinese software domains hosted on shared infrastructure, active from May 2025 through March 2026. Initial payloads were delivered via Alibaba Cloud Object Storage (Hong Kong region), and all stages consistently used oss-cn-hongkong.aliyuncs[.]com for payload hosting and C2 telemetry.", "modified": "2026-05-20T02:13:53.711000", "created": "2026-04-20T02:08:42.158000", "tags": [ "localappdata", "network", "payload hosting", "kong rat", "additional c2", "file hashes", "primary c2", "programsbvasted", "of compromise", "campaign", "magic", "cloud" ], "references": [ "https://www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "URL": 2, "domain": 5, "hostname": 3 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d0e17b054362c67c4ad83", "name": "Twitter Feed - HunterStrategy - 19-05-2026", "description": "", "modified": "2026-05-20T01:27:51.615000", "created": "2026-05-20T01:27:51.615000", "tags": [], "references": [ "https://x.com/HunterStrategy/status/2056752737950261291" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a095728a90867ecb8319892", "name": "Fake FinalShell and Xshell Sites Deliver Kong RAT Malware", "description": "", "modified": "2026-05-17T05:50:32.821000", "created": "2026-05-17T05:50:32.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 5, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d0a91eccf1032f669cd486", "name": "IOC - \u6e38\u86c7\uff08\u94f6\u72d0\uff09\u9ed1\u4ea7\u4f20\u64ad\u4e0e\u6280\u6218\u672f\u6301\u7eed\u8ffd\u8e2a\uff1a\u4eff\u5192FinalShell\u7ba1\u7406\u8f6f\u4ef6\u7684\u653b\u51fb\u624b\u6cd5\u5206\u6790", "description": "\u5b89\u5929CERT\u8fd1\u671f\u53d1\u73b0\u201c\u6e38\u86c7\uff08\u94f6\u72d0\uff09\u201d\u9ed1\u4ea7\u5229\u7528\u4eff\u5192\u7684FinalShell\u4e0b\u8f7d\u7f51\u7ad9\u4f20\u64ad\u8fdc\u63a7\u6728\u9a6c\uff0c\u5e76\u7ed3\u5408\u641c\u7d22\u5f15\u64ceSEO\u6280\u672f\u8fdb\u884c\u6295\u6bd2\u653b\u51fb\uff0c\u4f7f\u5176\u642d\u5efa\u7684\u6076\u610f\u7f51\u7ad9\u5728\u641c\u7d22\u7ed3\u679c\u4e2d\u7684\u6392\u540d\u9760\u524d\uff0c\u5e76\u4e14\u5176\u57df\u540d\u4e5f\u5177\u6709\u4e00\u5b9a\u7684\u8ff7\u60d1\u6027\uff0c\u4ece\u800c\u8bf1\u5bfc\u7528\u6237\u8bbf\u95ee\u5e76\u4e0b\u8f7d\u6076\u610f\u7a0b\u5e8f\u3002\u6b64\u5916\uff0c\u5b89\u5929CERT\u53d1\u73b0\u6709CSDN\u7528\u6237\u66fe\u5728\u53d1\u5e03\u7684\u6587\u7ae0\u4e2d\u5c06\u8be5\u6076\u610f\u7f51\u7ad9\u63cf\u8ff0\u4e3a\u5b98\u7f51\u4e0b\u8f7d\u5730\u5740\u3002FinalShell\u662f\u4e00\u6b3e\u96c6\u8fdc\u7a0b\u8fde\u63a5\u3001\u7cfb\u7edf\u7ba1\u7406\u548c\u5f00\u53d1\u8f85\u52a9\u4e8e\u4e00\u4f53\u7684\u8de8\u5e73\u53f0\u5de5\u5177\uff0c\u7531\u56fd\u5185\u56e2\u961f\u5f00\u53d1\uff0c\u652f\u6301Windows\u3001macOS\u3001Linux\uff0c\u5e38\u7528\u4e8e\u8fd0\u7ef4\u548c\u5f00\u53d1\u573a\u666f\u3002", "modified": "2025-09-22T01:40:46.352000", "created": "2025-09-22T01:40:46.352000", "tags": [], "references": [ "https://mp.weixin.qq.com/s/Pr_UAZsSmKzFVhkVe7iE1w" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/HunterStrategy/status/2056752737950261291", "https://www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat", "https://mp.weixin.qq.com/s/Pr_UAZsSmKzFVhkVe7iE1w" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e58aaa3b2b96ee8a9fee13", "name": "IOC - Multi-Stage SEO Poisoning Campaign Targets Chinese-Speaking Developers with Kong RAT", "description": "In March 2026, eSentire's Threat Response Unit detected a sophisticated multi-stage malware campaign targeting Chinese-speaking developers and IT professionals through Search engine optimization (SEO) poisoning. Victims searching for popular Chinese developer tools including FinalShell SSH client, Xshell, QuickQ VPN, and Clash proxy, were redirected to convincing lookalike domains that delivered trojanized installers. TRU is tracking this threat as Kong RAT, named for its consistent use of the string \"Kong\" across registry keys/file paths used by the malware. The campaign's infrastructure consists of a network of spoofed Chinese software domains hosted on shared infrastructure, active from May 2025 through March 2026. Initial payloads were delivered via Alibaba Cloud Object Storage (Hong Kong region), and all stages consistently used oss-cn-hongkong.aliyuncs[.]com for payload hosting and C2 telemetry.", "modified": "2026-05-20T02:13:53.711000", "created": "2026-04-20T02:08:42.158000", "tags": [ "localappdata", "network", "payload hosting", "kong rat", "additional c2", "file hashes", "primary c2", "programsbvasted", "of compromise", "campaign", "magic", "cloud" ], "references": [ "https://www.esentire.com/blog/multi-stage-seo-poisoning-campaign-targets-chinese-speaking-developers-with-kong-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 22, "URL": 2, "domain": 5, "hostname": 3 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d0e17b054362c67c4ad83", "name": "Twitter Feed - HunterStrategy - 19-05-2026", "description": "", "modified": "2026-05-20T01:27:51.615000", "created": "2026-05-20T01:27:51.615000", "tags": [], "references": [ "https://x.com/HunterStrategy/status/2056752737950261291" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a095728a90867ecb8319892", "name": "Fake FinalShell and Xshell Sites Deliver Kong RAT Malware", "description": "", "modified": "2026-05-17T05:50:32.821000", "created": "2026-05-17T05:50:32.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 5, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d0a91eccf1032f669cd486", "name": "IOC - \u6e38\u86c7\uff08\u94f6\u72d0\uff09\u9ed1\u4ea7\u4f20\u64ad\u4e0e\u6280\u6218\u672f\u6301\u7eed\u8ffd\u8e2a\uff1a\u4eff\u5192FinalShell\u7ba1\u7406\u8f6f\u4ef6\u7684\u653b\u51fb\u624b\u6cd5\u5206\u6790", "description": "\u5b89\u5929CERT\u8fd1\u671f\u53d1\u73b0\u201c\u6e38\u86c7\uff08\u94f6\u72d0\uff09\u201d\u9ed1\u4ea7\u5229\u7528\u4eff\u5192\u7684FinalShell\u4e0b\u8f7d\u7f51\u7ad9\u4f20\u64ad\u8fdc\u63a7\u6728\u9a6c\uff0c\u5e76\u7ed3\u5408\u641c\u7d22\u5f15\u64ceSEO\u6280\u672f\u8fdb\u884c\u6295\u6bd2\u653b\u51fb\uff0c\u4f7f\u5176\u642d\u5efa\u7684\u6076\u610f\u7f51\u7ad9\u5728\u641c\u7d22\u7ed3\u679c\u4e2d\u7684\u6392\u540d\u9760\u524d\uff0c\u5e76\u4e14\u5176\u57df\u540d\u4e5f\u5177\u6709\u4e00\u5b9a\u7684\u8ff7\u60d1\u6027\uff0c\u4ece\u800c\u8bf1\u5bfc\u7528\u6237\u8bbf\u95ee\u5e76\u4e0b\u8f7d\u6076\u610f\u7a0b\u5e8f\u3002\u6b64\u5916\uff0c\u5b89\u5929CERT\u53d1\u73b0\u6709CSDN\u7528\u6237\u66fe\u5728\u53d1\u5e03\u7684\u6587\u7ae0\u4e2d\u5c06\u8be5\u6076\u610f\u7f51\u7ad9\u63cf\u8ff0\u4e3a\u5b98\u7f51\u4e0b\u8f7d\u5730\u5740\u3002FinalShell\u662f\u4e00\u6b3e\u96c6\u8fdc\u7a0b\u8fde\u63a5\u3001\u7cfb\u7edf\u7ba1\u7406\u548c\u5f00\u53d1\u8f85\u52a9\u4e8e\u4e00\u4f53\u7684\u8de8\u5e73\u53f0\u5de5\u5177\uff0c\u7531\u56fd\u5185\u56e2\u961f\u5f00\u53d1\uff0c\u652f\u6301Windows\u3001macOS\u3001Linux\uff0c\u5e38\u7528\u4e8e\u8fd0\u7ef4\u548c\u5f00\u53d1\u573a\u666f\u3002", "modified": "2025-09-22T01:40:46.352000", "created": "2025-09-22T01:40:46.352000", "tags": [], "references": [ "https://mp.weixin.qq.com/s/Pr_UAZsSmKzFVhkVe7iE1w" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "finalshell-ssh.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "finalshell-ssh.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211268.257159 }