{ "type": "Domain", "indicator": "foundedbrounded.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/foundedbrounded.org", "alexa": "http://www.alexa.com/siteinfo/foundedbrounded.org", "indicator": "foundedbrounded.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4010332283, "indicator": "foundedbrounded.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "67d40207691067461210a612", "name": "SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:16:39.016000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386494, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d993ba788ab940f8f08338", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "Trend Research analyzed SocGholish\u2019s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.", "modified": "2025-04-17T15:00:16.410000", "created": "2025-03-18T15:39:37.975000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d5e01e96eaa7672f46852e", "name": "SocGholish's Exploits Aid in the Spread of RansomHub", "description": "", "modified": "2025-04-14T20:00:04.351000", "created": "2025-03-15T20:16:30.957000", "tags": [ "mitigation", "keep", "update siem", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 13, "hostname": 37 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e1155085a0db344a04", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:37.878000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e64aac2aefac16a725", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:42.306000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d408ff22965b4a48ac9ac6", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "A review of the findings of a study on the impact of cyber-attacks on a network of more than 100,000 users in the UK, Ireland, Wales and Northern Ireland (NHS).", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:46:23.236000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d7c722fda078d2d2c8e81a", "name": "IOC&TTP - SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "\u8be5\u62a5\u544a\u91cd\u70b9\u8ba8\u8bba\u4e86\u4e00\u79cd\u540d\u4e3aSocGholish\uff08\u6216FakeUpdates\uff09\u7684\u653b\u51fb\u5de5\u5177\u53ca\u5176\u5728\u5165\u4fb5\u94fe\u4e2d\u7684\u5173\u952e\u4f5c\u7528\u3002\u653b\u51fb\u8005\u5f80\u5f80\u901a\u8fc7\u5165\u4fb5\u5408\u6cd5\u7f51\u7ad9\u5e76\u6ce8\u5165\u6076\u610f\u811a\u672c\uff0c\u5c06\u8bbf\u5ba2\u91cd\u5b9a\u5411\u5230\u201c\u4f2a\u9020\u7684\u6d4f\u89c8\u5668\u66f4\u65b0\u201d\u9875\u9762\uff0c\u4ee5\u793e\u4f1a\u5de5\u7a0b\u624b\u6bb5\u8bf1\u9a97\u7528\u6237\u4e0b\u8f7d\u5e76\u6267\u884c\u5305\u542b\u6076\u610fJavaScript\u52a0\u8f7d\u5668\u7684ZIP\u538b\u7f29\u5305\u3002\u8be5\u52a0\u8f7d\u5668\u5177\u5907\u5f3a\u5927\u7684\u4fe1\u606f\u6536\u96c6\u4e0e\u540e\u7eedPayload\u6295\u9012\u80fd\u529b\uff0c\u5305\u62ec\u90e8\u7f72\u540e\u95e8\u3001\u7a83\u53d6\u6d4f\u89c8\u5668\u51ed\u8bc1\uff0c\u5e76\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\uff0c\u4ee5\u5b9e\u73b0\u6301\u4e45\u5316\u63a7\u5236\u3002\n\n\u8fd9\u4e9b\u884c\u52a8\u80cc\u540e\u662f\u88ab\u8ddf\u8e2a\u4e3aWater Scylla\u7684\u591a\u9636\u6bb5\u653b\u51fb\u6d3b\u52a8\uff0c\u5a01\u80c1\u5206\u5b50\u8fd8\u5229\u7528\u4e86Keitaro TDS\u7b49\u6d41\u91cf\u5206\u53d1\u7cfb\u7edf\uff08Traffic Distribution System\uff09\u6765\u7cbe\u51c6\u8fc7\u6ee4\u5e76\u5206\u53d1SocGholish\u8d1f\u8f7d\uff0c\u4ece\u800c\u8fdb\u4e00\u6b65\u9003\u907f\u6c99\u7bb1\u548c\u5b89\u5168\u7814\u7a76\u8005\u7684\u68c0\u6d4b\u3002\u88ab\u611f\u67d3\u7684\u7f51\u7ad9\u6570\u91cf\u5e9e\u5927\uff0c\u53d7\u5bb3\u8005\u5206\u5e03\u5728\u4e0d\u540c\u5730\u533a\uff0c\u5176\u4e2d\u653f\u5e9c\u673a\u6784\u53d7\u5230\u7684\u51b2\u51fb\u6700\u4e3a\u660e\u663e\u3002", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-17T06:54:26.658000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": "67d40207691067461210a612", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d8f5174a667cd827f43ab8", "name": "SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-18T04:22:47.365000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": "67d40207691067461210a612", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a23c5e75e6d05d77815d36", "name": "WordPress Websites Compromised to Deliver Malware", "description": "", "modified": "2025-02-04T16:12:14.760000", "created": "2025-02-04T16:12:14.760000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "480 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679df7574cc99cee87a41caf", "name": "Large-Scale WordPress Attack Delivers Malware to macOS and Windows", "description": "A threat campaign has compromised 10,000 WordPress sites to deliver malware targeting macOS and Windows.", "modified": "2025-02-01T10:28:39.730000", "created": "2025-02-01T10:28:39.730000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "483 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679b8b4bdf770103aa90a065", "name": "Hackers Use 10,000 WordPress Sites To Deliver Malware To macOS and Microsoft Systems", "description": "A sophisticated cyberattack has compromised over 10,000 WordPress websites, delivering cross-platform malware to unsuspecting users.\n\nThe campaign exploits outdated WordPress versions and plugins, redirecting visitors to fake browser update pages that deploy malicious software targeting both macOS and Windows systems.", "modified": "2025-01-30T14:23:07.732000", "created": "2025-01-30T14:23:07.732000", "tags": [], "references": [ "https://cybersecuritynews.com/hackers-use-10000-wordpress-sites-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "485 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://cybersecuritynews.com/hackers-use-10000-wordpress-sites-to-deliver-malware/", "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "https://threatfox.abuse.ch/export/csv/recent/", "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt", "Malware.pdf" ], "related": { "alienvault": { "adversary": [ "Water Scylla" ], "malware_families": [ "Ransomhub", "Socgholish" ], "industries": [ "Government", "Consulting", "Banking" ] }, "other": { "adversary": [ "Water Scylla" ], "malware_families": [ "Ransomhub", "Socgholish" ], "industries": [ "Government", "Consulting", "Banking" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "67d40207691067461210a612", "name": "SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "SocGholish, a malware-as-a-service framework, is being used to deploy RansomHub ransomware. It compromises legitimate websites, redirecting visitors to fake browser updates that deliver malicious payloads. The highly obfuscated JavaScript loader evades detection and executes various tasks, including reconnaissance, credential theft, and backdoor deployment. Water Scylla, the group behind this activity, collaborates with threat actors operating rogue Keitaro TDS instances for payload distribution. The attack chain involves multiple stages, from initial access to ransomware deployment. SocGholish's versatile loader can download and execute malicious payloads, exfiltrate data, and execute arbitrary commands. Recent detections show high activity in the US, primarily targeting government organizations.", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:16:39.016000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386494, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d993ba788ab940f8f08338", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "Trend Research analyzed SocGholish\u2019s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.", "modified": "2025-04-17T15:00:16.410000", "created": "2025-03-18T15:39:37.975000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d5e01e96eaa7672f46852e", "name": "SocGholish's Exploits Aid in the Spread of RansomHub", "description": "", "modified": "2025-04-14T20:00:04.351000", "created": "2025-03-15T20:16:30.957000", "tags": [ "mitigation", "keep", "update siem", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 13, "hostname": 37 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e1155085a0db344a04", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:37.878000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e64aac2aefac16a725", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:42.306000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d408ff22965b4a48ac9ac6", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "A review of the findings of a study on the impact of cyber-attacks on a network of more than 100,000 users in the UK, Ireland, Wales and Northern Ireland (NHS).", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:46:23.236000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d7c722fda078d2d2c8e81a", "name": "IOC&TTP - SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "\u8be5\u62a5\u544a\u91cd\u70b9\u8ba8\u8bba\u4e86\u4e00\u79cd\u540d\u4e3aSocGholish\uff08\u6216FakeUpdates\uff09\u7684\u653b\u51fb\u5de5\u5177\u53ca\u5176\u5728\u5165\u4fb5\u94fe\u4e2d\u7684\u5173\u952e\u4f5c\u7528\u3002\u653b\u51fb\u8005\u5f80\u5f80\u901a\u8fc7\u5165\u4fb5\u5408\u6cd5\u7f51\u7ad9\u5e76\u6ce8\u5165\u6076\u610f\u811a\u672c\uff0c\u5c06\u8bbf\u5ba2\u91cd\u5b9a\u5411\u5230\u201c\u4f2a\u9020\u7684\u6d4f\u89c8\u5668\u66f4\u65b0\u201d\u9875\u9762\uff0c\u4ee5\u793e\u4f1a\u5de5\u7a0b\u624b\u6bb5\u8bf1\u9a97\u7528\u6237\u4e0b\u8f7d\u5e76\u6267\u884c\u5305\u542b\u6076\u610fJavaScript\u52a0\u8f7d\u5668\u7684ZIP\u538b\u7f29\u5305\u3002\u8be5\u52a0\u8f7d\u5668\u5177\u5907\u5f3a\u5927\u7684\u4fe1\u606f\u6536\u96c6\u4e0e\u540e\u7eedPayload\u6295\u9012\u80fd\u529b\uff0c\u5305\u62ec\u90e8\u7f72\u540e\u95e8\u3001\u7a83\u53d6\u6d4f\u89c8\u5668\u51ed\u8bc1\uff0c\u5e76\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\uff0c\u4ee5\u5b9e\u73b0\u6301\u4e45\u5316\u63a7\u5236\u3002\n\n\u8fd9\u4e9b\u884c\u52a8\u80cc\u540e\u662f\u88ab\u8ddf\u8e2a\u4e3aWater Scylla\u7684\u591a\u9636\u6bb5\u653b\u51fb\u6d3b\u52a8\uff0c\u5a01\u80c1\u5206\u5b50\u8fd8\u5229\u7528\u4e86Keitaro TDS\u7b49\u6d41\u91cf\u5206\u53d1\u7cfb\u7edf\uff08Traffic Distribution System\uff09\u6765\u7cbe\u51c6\u8fc7\u6ee4\u5e76\u5206\u53d1SocGholish\u8d1f\u8f7d\uff0c\u4ece\u800c\u8fdb\u4e00\u6b65\u9003\u907f\u6c99\u7bb1\u548c\u5b89\u5168\u7814\u7a76\u8005\u7684\u68c0\u6d4b\u3002\u88ab\u611f\u67d3\u7684\u7f51\u7ad9\u6570\u91cf\u5e9e\u5927\uff0c\u53d7\u5bb3\u8005\u5206\u5e03\u5728\u4e0d\u540c\u5730\u533a\uff0c\u5176\u4e2d\u653f\u5e9c\u673a\u6784\u53d7\u5230\u7684\u51b2\u51fb\u6700\u4e3a\u660e\u663e\u3002", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-17T06:54:26.658000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": "67d40207691067461210a612", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d8f5174a667cd827f43ab8", "name": "SocGholish's Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-18T04:22:47.365000", "tags": [ "socgholish", "compromised websites", "ransomware", "backdoor", "ransomhub", "keitaro tds", "credential theft", "javascript" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "" ], "public": 1, "adversary": "Water Scylla", "targeted_countries": [ "United States of America", "Japan", "Taiwan" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Banking", "Consulting" ], "TLP": "white", "cloned_from": "67d40207691067461210a612", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 36 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "foundedbrounded.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "foundedbrounded.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212019.4056947 }