{ "type": "Domain", "indicator": "fixme.it", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fixme.it", "alexa": "http://www.alexa.com/siteinfo/fixme.it", "indicator": "fixme.it", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3782300044, "indicator": "fixme.it", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "692cbe4c87d612455d6b0c77", "name": "Financial Sector Ransomware & Banking Threats - LockBit + BlackBasta + Lazarus (CISA AA23-325A, AA24-131A) - DugganUSA", "description": "Financial sector ransomware and nation-state banking threats. LockBit exploited Citrix Bleed (CVE-2023-4966) against ICBC ($9B Treasury disruption). BlackBasta 500+ victims including finance. Lazarus APT38 SWIFT attacks ($81M Bangladesh heist). FS-ISAC: 406 financial sector victims Apr 2024-2025. SOX Section 302/404 material weakness implications. STIX: analytics.dugganusa.com/api/v1/stix-feed", "modified": "2025-12-30T21:02:13.274000", "created": "2025-11-30T21:59:40.226000", "tags": [ "financial", "banking", "lockbit", "blackbasta", "lazarus", "apt38", "swift", "ransomware", "citrix-bleed", "sox", "cisa", "dugganusa", "nation-state" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a", "https://www.fsisac.com/navigatingcyber2025", "https://analytics.dugganusa.com/api/v1/stix-feed", "https://www.dugganusa.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom", "Australia" ], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Financial Services", "Banking" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 5, "domain": 2, "FilePath": 1, "YARA": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f71c8324e5867aac6c2d30", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "", "modified": "2025-05-10T01:01:10.390000", "created": "2025-04-10T01:18:59.600000", "tags": [ "strong", "cisa", "lockbit", "citrix bleed", "netscaler adc", "iocs", "cve20234966", "mitre att", "powershell", "stopransomware", "psexec", "sector", "tools", "anydesk", "impacket", "enterprise", "hunt", "lsass", "cyber", "local", "download", "august", "malware", "legend", "adrecon", "plink", "service", "open", "import", "restrict", "upgrade", "protect", "ransomware", "mcafee", "ghost" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CTIwangus", "id": "186095", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 8, "URL": 5, "domain": 3, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c55ae268b5c4556694db9f", "name": "CapsaciPhone.com | Found in Denver Recording Studio Domain", "description": "Emotet,\nLockBit,\nMakop,\nRedLine Stealer,", "modified": "2024-03-09T22:05:06.644000", "created": "2024-02-08T22:51:14.111000", "tags": [ "contacted", "december", "dropped", "cymulate", "url collection", "execution", "ssl certificate", "roundup", "threat roundup", "unknown", "a domains", "domain", "creation date", "search", "tnhh quan", "dau tu", "dat ngoc", "date", "showing", "body", "next", "nxdomain", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info", "email", "code", "server", "registrar abuse", "available from", "country", "cong ty", "porn", "referrer", "whois record", "historical ssl", "resolutions", "urls http", "malware", "lockbit", "makop", "redline stealer", "core", "iframe", "whois whois", "maliciosa", "relacionada con", "january", "february", "attack", "bitrat", "hacktool", "malicious", "emotet", "wide" ], "references": [ "capsaciphone.com", "nr-data.net. [Apple Private Data Collection]", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "www.pornhub.com [iOS password decryption]", "www.anyxxxtube.net", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "golddesisex.com", "websexgay.net", "http://golddesisex.com/en/search/xxx-bloody-hymen", "http://golddesisex.com/en/search/boob-licking-gifs", "http://173.255.214.126:8080/oMhELssex", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "Found in https://side3.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 939, "URL": 5397, "FileHash-MD5": 78, "FileHash-SHA1": 78, "FileHash-SHA256": 2224, "hostname": 1294, "email": 3, "CVE": 3 }, "indicator_count": 10016, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655cd810f251f982bbed7b6e", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "Ransomware is a growing threat to networks, but how do you protect against it and what can you know about the latest threat? \u00c2\u00a32.5m worth of ransomware has been discovered on a Boeing website.", "modified": "2023-12-21T16:04:29.917000", "created": "2023-11-21T16:17:20.724000", "tags": [ "cisa", "lockbit", "netscaler adc", "iocs", "cve20234966", "powershell", "ttps", "center", "mitre att", "citrix bleed", "anydesk", "enterprise", "lsass", "psexec", "august", "plink", "service", "restrict", "upgrade", "bleed", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Bleed", "display_name": "Bleed", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure", "Education", "Energy", "Financial Services", "Food", "Agriculture", "Government", "Healthcare", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "URL": 5, "YARA": 5, "domain": 3, "email": 1, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "golddesisex.com", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "http://golddesisex.com/en/search/xxx-bloody-hymen", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "Found in https://side3.com", "www.pornhub.com [iOS password decryption]", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "websexgay.net", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "http://golddesisex.com/en/search/boob-licking-gifs", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "nr-data.net. [Apple Private Data Collection]", "www.anyxxxtube.net", "https://analytics.dugganusa.com/api/v1/stix-feed", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "https://www.fsisac.com/navigatingcyber2025", "http://173.255.214.126:8080/oMhELssex", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "https://www.dugganusa.com", "capsaciphone.com", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Threat", "Lockbit", "Blackbasta", "Bleed", "Redline stealer", "Qakbot", "Makop", "Lazarus", "Emotet" ], "industries": [ "Banking", "Food", "Education", "Critical infrastructure", "Agriculture", "Healthcare", "Energy", "Government", "Transportation", "Financial services", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "692cbe4c87d612455d6b0c77", "name": "Financial Sector Ransomware & Banking Threats - LockBit + BlackBasta + Lazarus (CISA AA23-325A, AA24-131A) - DugganUSA", "description": "Financial sector ransomware and nation-state banking threats. LockBit exploited Citrix Bleed (CVE-2023-4966) against ICBC ($9B Treasury disruption). BlackBasta 500+ victims including finance. Lazarus APT38 SWIFT attacks ($81M Bangladesh heist). FS-ISAC: 406 financial sector victims Apr 2024-2025. SOX Section 302/404 material weakness implications. STIX: analytics.dugganusa.com/api/v1/stix-feed", "modified": "2025-12-30T21:02:13.274000", "created": "2025-11-30T21:59:40.226000", "tags": [ "financial", "banking", "lockbit", "blackbasta", "lazarus", "apt38", "swift", "ransomware", "citrix-bleed", "sox", "cisa", "dugganusa", "nation-state" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a", "https://www.fsisac.com/navigatingcyber2025", "https://analytics.dugganusa.com/api/v1/stix-feed", "https://www.dugganusa.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom", "Australia" ], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "BlackBasta", "display_name": "BlackBasta", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Financial Services", "Banking" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-SHA256": 5, "domain": 2, "FilePath": 1, "YARA": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 194, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f71c8324e5867aac6c2d30", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "", "modified": "2025-05-10T01:01:10.390000", "created": "2025-04-10T01:18:59.600000", "tags": [ "strong", "cisa", "lockbit", "citrix bleed", "netscaler adc", "iocs", "cve20234966", "mitre att", "powershell", "stopransomware", "psexec", "sector", "tools", "anydesk", "impacket", "enterprise", "hunt", "lsass", "cyber", "local", "download", "august", "malware", "legend", "adrecon", "plink", "service", "open", "import", "restrict", "upgrade", "protect", "ransomware", "mcafee", "ghost" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CTIwangus", "id": "186095", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 8, "URL": 5, "domain": 3, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c55ae268b5c4556694db9f", "name": "CapsaciPhone.com | Found in Denver Recording Studio Domain", "description": "Emotet,\nLockBit,\nMakop,\nRedLine Stealer,", "modified": "2024-03-09T22:05:06.644000", "created": "2024-02-08T22:51:14.111000", "tags": [ "contacted", "december", "dropped", "cymulate", "url collection", "execution", "ssl certificate", "roundup", "threat roundup", "unknown", "a domains", "domain", "creation date", "search", "tnhh quan", "dau tu", "dat ngoc", "date", "showing", "body", "next", "nxdomain", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info", "email", "code", "server", "registrar abuse", "available from", "country", "cong ty", "porn", "referrer", "whois record", "historical ssl", "resolutions", "urls http", "malware", "lockbit", "makop", "redline stealer", "core", "iframe", "whois whois", "maliciosa", "relacionada con", "january", "february", "attack", "bitrat", "hacktool", "malicious", "emotet", "wide" ], "references": [ "capsaciphone.com", "nr-data.net. [Apple Private Data Collection]", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "www.pornhub.com [iOS password decryption]", "www.anyxxxtube.net", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "golddesisex.com", "websexgay.net", "http://golddesisex.com/en/search/xxx-bloody-hymen", "http://golddesisex.com/en/search/boob-licking-gifs", "http://173.255.214.126:8080/oMhELssex", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "Found in https://side3.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 939, "URL": 5397, "FileHash-MD5": 78, "FileHash-SHA1": 78, "FileHash-SHA256": 2224, "hostname": 1294, "email": 3, "CVE": 3 }, "indicator_count": 10016, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655cd810f251f982bbed7b6e", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "Ransomware is a growing threat to networks, but how do you protect against it and what can you know about the latest threat? \u00c2\u00a32.5m worth of ransomware has been discovered on a Boeing website.", "modified": "2023-12-21T16:04:29.917000", "created": "2023-11-21T16:17:20.724000", "tags": [ "cisa", "lockbit", "netscaler adc", "iocs", "cve20234966", "powershell", "ttps", "center", "mitre att", "citrix bleed", "anydesk", "enterprise", "lsass", "psexec", "august", "plink", "service", "restrict", "upgrade", "bleed", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Bleed", "display_name": "Bleed", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure", "Education", "Energy", "Financial Services", "Food", "Agriculture", "Government", "Healthcare", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "URL": 5, "YARA": 5, "domain": 3, "email": 1, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fixme.it", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fixme.it", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780284248.6982434 }