{ "type": "Domain", "indicator": "firmware-server12.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/firmware-server12.com", "alexa": "http://www.alexa.com/siteinfo/firmware-server12.com", "indicator": "firmware-server12.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4053253942, "indicator": "firmware-server12.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "67ef8546d1d9ef9cd8e91906", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation", "description": "The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.118000", "tags": [ "crm", "phishing", "coinbase", "cryptocurrency", "bulk email", "ledger", "seed phrase poisoning", "supply chain" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "PoisonSeed", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386710, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e848f9c64772d54fd7164b", "name": "Pulling the Threads on the Phish of Troy Hunt", "description": "A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.", "modified": "2025-04-28T19:03:52.216000", "created": "2025-03-29T19:24:41.500000", "tags": [ "infrastructure discovery", "mailchimp", "threat intelligence", "dns pivoting", "validin", "phishing", "troy hunt" ], "references": [ "https://www.validin.com/blog/pulling_threads_on_phishing_campaign/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 195, "hostname": 4 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818a576d9c3eec75bbd99ab", "name": "PoisonSeed Phishing Campaign Exploits Wallet Seed Phrases in Targeted Email Attacks", "description": "The following is a full list of links and links from the 21st Century, which have been shared by the BBC, BBC and other sites.. and this is the full set of information.", "modified": "2025-06-04T11:00:42.004000", "created": "2025-05-05T11:48:06.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f86a1c7951763be9e06945", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation - Silent Push", "description": "The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The attackers compromise these platforms to extract email lists and disseminate cryptocurrency-themed spam. A notable tactic involves distributing fraudulent \"seed phrases\" to entice recipients into creating new cryptocurrency wallets, which are subsequently compromised by the threat actors. This campaign has impacted enterprise organizations and individuals outside the cryptocurrency sector, with links to known threat groups like Scattered Spider and CryptoChameleon.", "modified": "2025-05-11T01:04:31.743000", "created": "2025-04-11T01:02:20.821000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "386 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f423b6d7efd7b56a823f8d", "name": "PoisonSeed Campaign Hijacks CRM Systems to Spread Malicious Crypto Seed Phrases", "description": "A new malicious campaign, dubbed PoisonSeed, is exploiting stolen credentials from CRM platforms and bulk email services to send spam messages containing fake cryptocurrency seed phrases. The goal is to trick victims into importing these phrases into their digital wallets, allowing attackers to drain their funds.", "modified": "2025-05-07T18:02:38.028000", "created": "2025-04-07T19:12:54.433000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "389 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb536f7561baa8cbe30914", "name": "TTP - Pulling the Threads on the Phish of Troy Hunt", "description": "2025\u5e743\u670825\u65e5\uff0c\u5b89\u5168\u7814\u7a76\u5458Troy Hunt\uff08\u201cHave I Been Pwned?\u201d\u9879\u76ee\u521b\u5efa\u8005\uff09\u906d\u9047\u4e00\u6b21\u7cbe\u5fc3\u7b56\u5212\u7684\u9c7c\u53c9\u5f0f\u9493\u9c7c\u653b\u51fb\uff0c\u5bfc\u81f4\u5176Mailchimp\u8d26\u53f7\u88ab\u653b\u7834\u3002\u653b\u51fb\u8005\u5728\u77ed\u65f6\u95f4\u5185\u83b7\u53d6Troy Hunt\u7684\u90ae\u7bb1\u51ed\u636e\u548c\u4e00\u6b21\u6027\u9a8c\u8bc1\u7801\uff08OTP\uff09\uff0c\u5e76\u8fc5\u901f\u5728Mailchimp\u521b\u5efa\u65b0\u7684API\u5bc6\u94a5\u3001\u5bfc\u51fa\u8ba2\u9605\u8005\u540d\u5355\u3002\u6848\u53d1\u540e\uff0cTroy Hunt\u5c06\u9493\u9c7c\u57df\u540dmailchimp-sso.com\u5bf9\u5916\u516c\u793a\uff0c\u5f15\u53d1\u5b89\u5168\u5708\u7684\u96c6\u4e2d\u5173\u6ce8\u3002\n\n\u8c03\u67e5\u56e2\u961f\u57fa\u4e8e\u8be5\u57df\u540d\u5f00\u5c55\u6269\u5c55\u5206\u6790\uff0c\u53d1\u73b0\u6b64\u6d3b\u52a8\u4e0d\u4ec5\u9488\u5bf9Troy Hunt\uff0c\u8fd8\u4e0e\u5df2\u77e5\u7684\u201cScattered Spider\u201d\u6216\u201c0ktapus\u201d\u653b\u51fb\u8005\u7fa4\u4f53\u5b58\u5728\u91cd\u53e0\u3002\u62a5\u544a\u4ecb\u7ecd\u4e86\u5982\u4f55\u5229\u7528\u4e00\u7cfb\u5217DNS\u548c\u4e3b\u673a\u7279\u5f81\u641c\u7d22\uff08host response \u53ca WHOIS\u7b49\uff09\u6765\u8bc6\u522b\u66f4\u591a\u7591\u4f3c\u76f8\u5173\u57df\u540d\u4e0e\u57fa\u7840\u8bbe\u65bd\uff0c\u5e76\u7ed3\u5408\u4e4b\u524d\u88ab\u5f52\u6863\u7684\u9c7c\u53c9\u5f0f\u9493\u9c7c\u6d3b\u52a8\u8fdb\u884c\u4e32\u8054\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u66f4\u5927\u89c4\u6a21\u7684\u8fde\u9501\u9493\u9c7c\u751f\u6001\u3002", "modified": "2025-04-28T19:03:52.216000", "created": "2025-04-01T02:46:07.059000", "tags": [ "infrastructure discovery", "mailchimp", "threat intelligence", "dns pivoting", "validin", "phishing", "troy hunt" ], "references": [ "https://www.validin.com/blog/pulling_threads_on_phishing_campaign/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "67e848f9c64772d54fd7164b", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 195, "hostname": 4 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.validin.com/blog/pulling_threads_on_phishing_campaign/", "IOC.pdf", "https://www.silentpush.com/blog/poisonseed/", "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed" ], "related": { "alienvault": { "adversary": [ "Scattered Spider", "PoisonSeed" ], "malware_families": [], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "Multiple Threat Actors", "Scattered Spider" ], "malware_families": [ "Poisonseed" ], "industries": [ "Crypto", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "67ef8546d1d9ef9cd8e91906", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation", "description": "The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.118000", "tags": [ "crm", "phishing", "coinbase", "cryptocurrency", "bulk email", "ledger", "seed phrase poisoning", "supply chain" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "PoisonSeed", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386710, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e848f9c64772d54fd7164b", "name": "Pulling the Threads on the Phish of Troy Hunt", "description": "A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.", "modified": "2025-04-28T19:03:52.216000", "created": "2025-03-29T19:24:41.500000", "tags": [ "infrastructure discovery", "mailchimp", "threat intelligence", "dns pivoting", "validin", "phishing", "troy hunt" ], "references": [ "https://www.validin.com/blog/pulling_threads_on_phishing_campaign/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 195, "hostname": 4 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818a576d9c3eec75bbd99ab", "name": "PoisonSeed Phishing Campaign Exploits Wallet Seed Phrases in Targeted Email Attacks", "description": "The following is a full list of links and links from the 21st Century, which have been shared by the BBC, BBC and other sites.. and this is the full set of information.", "modified": "2025-06-04T11:00:42.004000", "created": "2025-05-05T11:48:06.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f86a1c7951763be9e06945", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation - Silent Push", "description": "The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The attackers compromise these platforms to extract email lists and disseminate cryptocurrency-themed spam. A notable tactic involves distributing fraudulent \"seed phrases\" to entice recipients into creating new cryptocurrency wallets, which are subsequently compromised by the threat actors. This campaign has impacted enterprise organizations and individuals outside the cryptocurrency sector, with links to known threat groups like Scattered Spider and CryptoChameleon.", "modified": "2025-05-11T01:04:31.743000", "created": "2025-04-11T01:02:20.821000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "386 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f423b6d7efd7b56a823f8d", "name": "PoisonSeed Campaign Hijacks CRM Systems to Spread Malicious Crypto Seed Phrases", "description": "A new malicious campaign, dubbed PoisonSeed, is exploiting stolen credentials from CRM platforms and bulk email services to send spam messages containing fake cryptocurrency seed phrases. The goal is to trick victims into importing these phrases into their digital wallets, allowing attackers to drain their funds.", "modified": "2025-05-07T18:02:38.028000", "created": "2025-04-07T19:12:54.433000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "389 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb536f7561baa8cbe30914", "name": "TTP - Pulling the Threads on the Phish of Troy Hunt", "description": "2025\u5e743\u670825\u65e5\uff0c\u5b89\u5168\u7814\u7a76\u5458Troy Hunt\uff08\u201cHave I Been Pwned?\u201d\u9879\u76ee\u521b\u5efa\u8005\uff09\u906d\u9047\u4e00\u6b21\u7cbe\u5fc3\u7b56\u5212\u7684\u9c7c\u53c9\u5f0f\u9493\u9c7c\u653b\u51fb\uff0c\u5bfc\u81f4\u5176Mailchimp\u8d26\u53f7\u88ab\u653b\u7834\u3002\u653b\u51fb\u8005\u5728\u77ed\u65f6\u95f4\u5185\u83b7\u53d6Troy Hunt\u7684\u90ae\u7bb1\u51ed\u636e\u548c\u4e00\u6b21\u6027\u9a8c\u8bc1\u7801\uff08OTP\uff09\uff0c\u5e76\u8fc5\u901f\u5728Mailchimp\u521b\u5efa\u65b0\u7684API\u5bc6\u94a5\u3001\u5bfc\u51fa\u8ba2\u9605\u8005\u540d\u5355\u3002\u6848\u53d1\u540e\uff0cTroy Hunt\u5c06\u9493\u9c7c\u57df\u540dmailchimp-sso.com\u5bf9\u5916\u516c\u793a\uff0c\u5f15\u53d1\u5b89\u5168\u5708\u7684\u96c6\u4e2d\u5173\u6ce8\u3002\n\n\u8c03\u67e5\u56e2\u961f\u57fa\u4e8e\u8be5\u57df\u540d\u5f00\u5c55\u6269\u5c55\u5206\u6790\uff0c\u53d1\u73b0\u6b64\u6d3b\u52a8\u4e0d\u4ec5\u9488\u5bf9Troy Hunt\uff0c\u8fd8\u4e0e\u5df2\u77e5\u7684\u201cScattered Spider\u201d\u6216\u201c0ktapus\u201d\u653b\u51fb\u8005\u7fa4\u4f53\u5b58\u5728\u91cd\u53e0\u3002\u62a5\u544a\u4ecb\u7ecd\u4e86\u5982\u4f55\u5229\u7528\u4e00\u7cfb\u5217DNS\u548c\u4e3b\u673a\u7279\u5f81\u641c\u7d22\uff08host response \u53ca WHOIS\u7b49\uff09\u6765\u8bc6\u522b\u66f4\u591a\u7591\u4f3c\u76f8\u5173\u57df\u540d\u4e0e\u57fa\u7840\u8bbe\u65bd\uff0c\u5e76\u7ed3\u5408\u4e4b\u524d\u88ab\u5f52\u6863\u7684\u9c7c\u53c9\u5f0f\u9493\u9c7c\u6d3b\u52a8\u8fdb\u884c\u4e32\u8054\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u66f4\u5927\u89c4\u6a21\u7684\u8fde\u9501\u9493\u9c7c\u751f\u6001\u3002", "modified": "2025-04-28T19:03:52.216000", "created": "2025-04-01T02:46:07.059000", "tags": [ "infrastructure discovery", "mailchimp", "threat intelligence", "dns pivoting", "validin", "phishing", "troy hunt" ], "references": [ "https://www.validin.com/blog/pulling_threads_on_phishing_campaign/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": "67e848f9c64772d54fd7164b", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 195, "hostname": 4 }, "indicator_count": 203, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "398 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "firmware-server12.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "firmware-server12.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780332243.857347 }