{ "type": "Domain", "indicator": "funnull.vip", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/funnull.vip", "alexa": "http://www.alexa.com/siteinfo/funnull.vip", "indicator": "funnull.vip", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3996224239, "indicator": "funnull.vip", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "679cd3bc5b057955f8c62aa7", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "This article unveils the practice of 'infrastructure laundering' by cybercriminals, specifically focusing on the FUNNULL content delivery network. The investigation reveals that FUNNULL has been renting IP addresses from major cloud providers like Amazon Web Services and Microsoft Azure, using these to host malicious websites involved in retail phishing, investment scams, and money laundering. Despite efforts by cloud providers to ban these IPs, FUNNULL continually acquires new ones, likely through fraudulent means. The research highlights the challenges faced by cloud providers in detecting and preventing this abuse in real-time, raising questions about the effectiveness of current security measures and the responsibilities of hosting companies in combating such sophisticated criminal activities.", "modified": "2025-01-31T14:02:11.580000", "created": "2025-01-31T13:44:28.033000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e95aa76cef96a2cbd889bd", "name": "EbeeApril2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T23:32:55.340000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "CIDR": 6, "CVE": 3, "FileHash-MD5": 125, "FileHash-SHA1": 115, "FileHash-SHA256": 191, "domain": 227, "email": 2, "hostname": 23 }, "indicator_count": 741, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2859f161ed33fb1c106f4", "name": "Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn as Threat Actor Distances Activity from FUNNULL CDN", "description": "Triad Nexus, a cybercrime organization linked to extensive investment scams and brand impersonation, has evolved its operational security following 2025 U.S. Treasury sanctions. The group has implemented geographic fencing to obscure its operations from U.S. law enforcement, alongside laundering its infrastructure through account muling and establishing a rotating network of clean front companies. This criminal network has reportedly caused over $200 million in losses globally, primarily through sophisticated scams such as pig-butchering and fraudulent virtual currency schemes, averaging $150,000 in losses per victim.", "modified": "2026-04-17T19:10:23.886000", "created": "2026-04-17T19:10:23.886000", "tags": [ "triad nexus", "cname", "cname chain", "funnull", "cname domain", "lookup", "amazon", "funnull cdn", "silent push", "amazon ips", "april", "nexus", "front", "bank", "june", "tiffany", "tools", "global", "tron", "error", "silent", "push" ], "references": [ "https://www.silentpush.com/blog/triad-nexus-funnull-2026/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" } ], "industries": [ "Retail", "Technology", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6839b1d4a769248f612ef18b", "name": "Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams", "description": "The Federal Bureau of Investigation (FBI) is releasing a FLASH to disseminate indicators of malicious cyber activities linked to Funnull Technology Inc (Funnull) and other illicit activities, commonly known as \"pig butchering\".\n\nOFAC\u2019s designation includes two digital currency addresses associated with Funnull TechnologyInc.:\n-- Ethereum (ETH): 0xd5ED34b52AC4ab84d8FA8A231a3218bbF01Ed510\n-- TRON (TRX): TNmRfnSUXZoWWzxcDDbf95eGQYXt1mJDt8\n\nKnown physical address to OFAC:\n--14th Floor, Net Cube Center, E-Square, 30th Street, Zone Avenue 3rd, Taguig City, 1634, Philippines", "modified": "2025-05-30T13:31:26.340000", "created": "2025-05-30T13:25:40.644000", "tags": [], "references": [ "https://www.ic3.gov/CSA/2025/250529.pdf" ], "public": 1, "adversary": "China", "targeted_countries": [ "Philippines", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drexx001", "id": "111525", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111525/resized/80/avatar_9da3d8ccf1.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 213, "hostname": 200 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1ef3e68ca954990740382", "name": "Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech - Silent Push", "description": "A growing criminal practice known as infrastructure laundering has been uncovered by security analysts Silent Push, who have uncovered large-scale use by threat actors such as Amazon, Microsoft and Amazon to rent IP addresses from mainstream providers.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:43:10.862000", "tags": [ "funnull", "funnull cdn", "amazon", "cname", "silent push", "microsoft", "push", "bwin", "triad nexus", "laundering", "find", "crime", "february", "june", "tiffany", "prior", "concept", "attack", "click" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9867d8dd53313edef60d0", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "", "modified": "2025-02-10T04:54:21.712000", "created": "2025-02-10T04:54:21.712000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": "679cd3bc5b057955f8c62aa7", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9867c9d7fc74eda2b9a4c", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "", "modified": "2025-02-10T04:54:20.268000", "created": "2025-02-10T04:54:20.268000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": "679cd3bc5b057955f8c62aa7", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/", "https://www.silentpush.com/blog/triad-nexus-funnull-2026/", "IOCs.2026.csv", "https://www.ic3.gov/CSA/2025/250529.pdf" ], "related": { "alienvault": { "adversary": [ "FUNNULL" ], "malware_families": [], "industries": [ "Technology", "Finance", "Retail" ] }, "other": { "adversary": [ "China", "FUNNULL", "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware" ], "malware_families": [], "industries": [ "Technology", "Finance", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "679cd3bc5b057955f8c62aa7", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "This article unveils the practice of 'infrastructure laundering' by cybercriminals, specifically focusing on the FUNNULL content delivery network. The investigation reveals that FUNNULL has been renting IP addresses from major cloud providers like Amazon Web Services and Microsoft Azure, using these to host malicious websites involved in retail phishing, investment scams, and money laundering. Despite efforts by cloud providers to ban these IPs, FUNNULL continually acquires new ones, likely through fraudulent means. The research highlights the challenges faced by cloud providers in detecting and preventing this abuse in real-time, raising questions about the effectiveness of current security measures and the responsibilities of hosting companies in combating such sophisticated criminal activities.", "modified": "2025-01-31T14:02:11.580000", "created": "2025-01-31T13:44:28.033000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e95aa76cef96a2cbd889bd", "name": "EbeeApril2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T23:32:55.340000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "CIDR": 6, "CVE": 3, "FileHash-MD5": 125, "FileHash-SHA1": 115, "FileHash-SHA256": 191, "domain": 227, "email": 2, "hostname": 23 }, "indicator_count": 741, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2859f161ed33fb1c106f4", "name": "Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn as Threat Actor Distances Activity from FUNNULL CDN", "description": "Triad Nexus, a cybercrime organization linked to extensive investment scams and brand impersonation, has evolved its operational security following 2025 U.S. Treasury sanctions. The group has implemented geographic fencing to obscure its operations from U.S. law enforcement, alongside laundering its infrastructure through account muling and establishing a rotating network of clean front companies. This criminal network has reportedly caused over $200 million in losses globally, primarily through sophisticated scams such as pig-butchering and fraudulent virtual currency schemes, averaging $150,000 in losses per victim.", "modified": "2026-04-17T19:10:23.886000", "created": "2026-04-17T19:10:23.886000", "tags": [ "triad nexus", "cname", "cname chain", "funnull", "cname domain", "lookup", "amazon", "funnull cdn", "silent push", "amazon ips", "april", "nexus", "front", "bank", "june", "tiffany", "tools", "global", "tron", "error", "silent", "push" ], "references": [ "https://www.silentpush.com/blog/triad-nexus-funnull-2026/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" } ], "industries": [ "Retail", "Technology", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6839b1d4a769248f612ef18b", "name": "Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams", "description": "The Federal Bureau of Investigation (FBI) is releasing a FLASH to disseminate indicators of malicious cyber activities linked to Funnull Technology Inc (Funnull) and other illicit activities, commonly known as \"pig butchering\".\n\nOFAC\u2019s designation includes two digital currency addresses associated with Funnull TechnologyInc.:\n-- Ethereum (ETH): 0xd5ED34b52AC4ab84d8FA8A231a3218bbF01Ed510\n-- TRON (TRX): TNmRfnSUXZoWWzxcDDbf95eGQYXt1mJDt8\n\nKnown physical address to OFAC:\n--14th Floor, Net Cube Center, E-Square, 30th Street, Zone Avenue 3rd, Taguig City, 1634, Philippines", "modified": "2025-05-30T13:31:26.340000", "created": "2025-05-30T13:25:40.644000", "tags": [], "references": [ "https://www.ic3.gov/CSA/2025/250529.pdf" ], "public": 1, "adversary": "China", "targeted_countries": [ "Philippines", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drexx001", "id": "111525", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111525/resized/80/avatar_9da3d8ccf1.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 213, "hostname": 200 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a1ef3e68ca954990740382", "name": "Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech - Silent Push", "description": "A growing criminal practice known as infrastructure laundering has been uncovered by security analysts Silent Push, who have uncovered large-scale use by threat actors such as Amazon, Microsoft and Amazon to rent IP addresses from mainstream providers.", "modified": "2025-03-06T10:04:51.026000", "created": "2025-02-04T10:43:10.862000", "tags": [ "funnull", "funnull cdn", "amazon", "cname", "silent push", "microsoft", "push", "bwin", "triad nexus", "laundering", "find", "crime", "february", "june", "tiffany", "prior", "concept", "attack", "click" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9867d8dd53313edef60d0", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "", "modified": "2025-02-10T04:54:21.712000", "created": "2025-02-10T04:54:21.712000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": "679cd3bc5b057955f8c62aa7", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9867c9d7fc74eda2b9a4c", "name": "Infrastructure Laundering: Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech", "description": "", "modified": "2025-02-10T04:54:20.268000", "created": "2025-02-10T04:54:20.268000", "tags": [ "infrastructure laundering", "phishing" ], "references": [ "https://www.silentpush.com/blog/infrastructure-laundering/" ], "public": 1, "adversary": "FUNNULL", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Retail", "Finance", "Technology" ], "TLP": "white", "cloned_from": "679cd3bc5b057955f8c62aa7", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 3 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "478 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "funnull.vip", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "funnull.vip", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780498153.5971966 }