{ "type": "Domain", "indicator": "forcecodestore.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/forcecodestore.com", "alexa": "http://www.alexa.com/siteinfo/forcecodestore.com", "indicator": "forcecodestore.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4150718795, "indicator": "forcecodestore.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "691bd5c16cda885503b01c6a", "name": "Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem", "description": "UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.", "modified": "2025-12-18T02:03:21.499000", "created": "2025-11-18T02:11:13.651000", "tags": [ "dcsyncer.slick", "third-party compromise", "sightgrab", "aerospace", "trusttrap", "lateral movement", "minibike", "defense", "espionage", "lightrail", "deeproot", "crashpad", "twostroke", "pollblend", "custom malware", "phishing", "privilege escalation", "ghostline" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense" ], "public": 1, "adversary": "UNC1549", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1213.002", "name": "Sharepoint", "display_name": "T1213.002 - Sharepoint" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" } ], "industries": [ "Aerospace", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 9, "hostname": 2, "YARA": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386819, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924ce633a5a9d7ba7f3ee23", "name": "iocblock", "description": "The following is a full list of names and phrases:.. and the following ones:, for the first time, following the release of an online version of the BBC's Newsround programme.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:30:11.057000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691db7e6f9b3774b1c9280e3", "name": "UNC1549 Threat Group Hijacking Trusted DLLs and Executing VDI Breakouts", "description": "UNC1549, a threat group suspected to be linked to Iran has sharply expanded its cyber-espionage operations across the aerospace, aviation, and defence sectors.", "modified": "2025-12-19T12:00:56.285000", "created": "2025-11-19T12:28:22.797000", "tags": [ "iocs", "keep antivirus", "domain", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 10 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d271d2b93ffe288b9cc6f", "name": "IOC - Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Google Cloud Blog", "description": "A new report from security firm Mandiant outlines the tactics and tools used by a group targeting the aerospace, aviation and defense industries in the Middle East in late 2023 to mid-2024.", "modified": "2025-12-19T02:00:55.846000", "created": "2025-11-19T02:10:37.809000", "tags": [ "unc1549", "twostroke", "mandiant", "minibike", "dll search", "lightrail", "dlls", "c2 server", "zip file", "lastenzug", "february", "compiler", "virustotal", "c++", "deeproot", "linux", "azure ad", "trusttrap", "dcsyncer.slick" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TWOSTROKE", "display_name": "TWOSTROKE", "target": null }, { "id": "C++", "display_name": "C++", "target": null }, { "id": "DEEPROOT", "display_name": "DEEPROOT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Azure AD", "display_name": "Azure AD", "target": null }, { "id": "TRUSTTRAP", "display_name": "TRUSTTRAP", "target": null }, { "id": "DCSYNCER.SLICK", "display_name": "DCSYNCER.SLICK", "target": null }, { "id": "LIGHTRAIL", "display_name": "LIGHTRAIL", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Aerospace", "Defense", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 9, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/", "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense", "Nov.Week2.csv" ], "related": { "alienvault": { "adversary": [ "UNC1549" ], "malware_families": [], "industries": [ "Aerospace", "Defense" ] }, "other": { "adversary": [ "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428" ], "malware_families": [ "Linux", "Lightrail", "Twostroke", "Dcsyncer.slick", "C++", "Deeproot", "Azure ad", "Trusttrap" ], "industries": [ "Aviation", "Aerospace", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "691bd5c16cda885503b01c6a", "name": "Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem", "description": "UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL, and DEEPROOT for persistence, and tools like DCSYNCER.SLICK and CRASHPAD for privilege escalation. UNC1549 demonstrates advanced lateral movement, reconnaissance, and defense evasion tactics. They extensively use SSH reverse tunnels and Azure infrastructure for command and control. The group's primary objective appears to be espionage, focusing on data collection and leveraging compromised organizations to target others in the same sector.", "modified": "2025-12-18T02:03:21.499000", "created": "2025-11-18T02:11:13.651000", "tags": [ "dcsyncer.slick", "third-party compromise", "sightgrab", "aerospace", "trusttrap", "lateral movement", "minibike", "defense", "espionage", "lightrail", "deeproot", "crashpad", "twostroke", "pollblend", "custom malware", "phishing", "privilege escalation", "ghostline" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense" ], "public": 1, "adversary": "UNC1549", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1213.002", "name": "Sharepoint", "display_name": "T1213.002 - Sharepoint" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" } ], "industries": [ "Aerospace", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 9, "hostname": 2, "YARA": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386819, "modified_text": "166 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6924ce633a5a9d7ba7f3ee23", "name": "iocblock", "description": "The following is a full list of names and phrases:.. and the following ones:, for the first time, following the release of an online version of the BBC's Newsround programme.", "modified": "2025-12-24T21:03:40.540000", "created": "2025-11-24T21:30:11.057000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691db7e6f9b3774b1c9280e3", "name": "UNC1549 Threat Group Hijacking Trusted DLLs and Executing VDI Breakouts", "description": "UNC1549, a threat group suspected to be linked to Iran has sharply expanded its cyber-espionage operations across the aerospace, aviation, and defence sectors.", "modified": "2025-12-19T12:00:56.285000", "created": "2025-11-19T12:28:22.797000", "tags": [ "iocs", "keep antivirus", "domain", "update", "siem", "strategies", "update siem" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 10 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691d271d2b93ffe288b9cc6f", "name": "IOC - Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem | Google Cloud Blog", "description": "A new report from security firm Mandiant outlines the tactics and tools used by a group targeting the aerospace, aviation and defense industries in the Middle East in late 2023 to mid-2024.", "modified": "2025-12-19T02:00:55.846000", "created": "2025-11-19T02:10:37.809000", "tags": [ "unc1549", "twostroke", "mandiant", "minibike", "dll search", "lightrail", "dlls", "c2 server", "zip file", "lastenzug", "february", "compiler", "virustotal", "c++", "deeproot", "linux", "azure ad", "trusttrap", "dcsyncer.slick" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TWOSTROKE", "display_name": "TWOSTROKE", "target": null }, { "id": "C++", "display_name": "C++", "target": null }, { "id": "DEEPROOT", "display_name": "DEEPROOT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Azure AD", "display_name": "Azure AD", "target": null }, { "id": "TRUSTTRAP", "display_name": "TRUSTTRAP", "target": null }, { "id": "DCSYNCER.SLICK", "display_name": "DCSYNCER.SLICK", "target": null }, { "id": "LIGHTRAIL", "display_name": "LIGHTRAIL", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Aerospace", "Defense", "Aviation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 9, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "forcecodestore.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "forcecodestore.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780381369.131836 }