{ "type": "Domain", "indicator": "funnull301.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/funnull301.com", "alexa": "http://www.alexa.com/siteinfo/funnull301.com", "indicator": "funnull301.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4071898726, "indicator": "funnull301.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69e95aa76cef96a2cbd889bd", "name": "EbeeApril2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T23:32:55.340000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "CIDR": 6, "CVE": 3, "FileHash-MD5": 125, "FileHash-SHA1": 115, "FileHash-SHA256": 191, "domain": 227, "email": 2, "hostname": 23 }, "indicator_count": 741, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2859f161ed33fb1c106f4", "name": "Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn as Threat Actor Distances Activity from FUNNULL CDN", "description": "Triad Nexus, a cybercrime organization linked to extensive investment scams and brand impersonation, has evolved its operational security following 2025 U.S. Treasury sanctions. The group has implemented geographic fencing to obscure its operations from U.S. law enforcement, alongside laundering its infrastructure through account muling and establishing a rotating network of clean front companies. This criminal network has reportedly caused over $200 million in losses globally, primarily through sophisticated scams such as pig-butchering and fraudulent virtual currency schemes, averaging $150,000 in losses per victim.", "modified": "2026-04-17T19:10:23.886000", "created": "2026-04-17T19:10:23.886000", "tags": [ "triad nexus", "cname", "cname chain", "funnull", "cname domain", "lookup", "amazon", "funnull cdn", "silent push", "amazon ips", "april", "nexus", "front", "bank", "june", "tiffany", "tools", "global", "tron", "error", "silent", "push" ], "references": [ "https://www.silentpush.com/blog/triad-nexus-funnull-2026/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" } ], "industries": [ "Retail", "Technology", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6839b1d4a769248f612ef18b", "name": "Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams", "description": "The Federal Bureau of Investigation (FBI) is releasing a FLASH to disseminate indicators of malicious cyber activities linked to Funnull Technology Inc (Funnull) and other illicit activities, commonly known as \"pig butchering\".\n\nOFAC\u2019s designation includes two digital currency addresses associated with Funnull TechnologyInc.:\n-- Ethereum (ETH): 0xd5ED34b52AC4ab84d8FA8A231a3218bbF01Ed510\n-- TRON (TRX): TNmRfnSUXZoWWzxcDDbf95eGQYXt1mJDt8\n\nKnown physical address to OFAC:\n--14th Floor, Net Cube Center, E-Square, 30th Street, Zone Avenue 3rd, Taguig City, 1634, Philippines", "modified": "2025-05-30T13:31:26.340000", "created": "2025-05-30T13:25:40.644000", "tags": [], "references": [ "https://www.ic3.gov/CSA/2025/250529.pdf" ], "public": 1, "adversary": "China", "targeted_countries": [ "Philippines", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drexx001", "id": "111525", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111525/resized/80/avatar_9da3d8ccf1.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 213, "hostname": 200 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.ic3.gov/CSA/2025/250529.pdf", "IOCs.2026.csv", "https://www.silentpush.com/blog/triad-nexus-funnull-2026/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware", "China" ], "malware_families": [], "industries": [ "Finance", "Technology", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69e95aa76cef96a2cbd889bd", "name": "EbeeApril2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-22T23:32:55.340000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "JitterDropper, FudCrypt, Janela RAT, PowMix, STAX RAT, Kyber Ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "CIDR": 6, "CVE": 3, "FileHash-MD5": 125, "FileHash-SHA1": 115, "FileHash-SHA256": 191, "domain": 227, "email": 2, "hostname": 23 }, "indicator_count": 741, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e2859f161ed33fb1c106f4", "name": "Post-Sanction Persistence: Triad Nexus' Operations Infrastructure Reborn as Threat Actor Distances Activity from FUNNULL CDN", "description": "Triad Nexus, a cybercrime organization linked to extensive investment scams and brand impersonation, has evolved its operational security following 2025 U.S. Treasury sanctions. The group has implemented geographic fencing to obscure its operations from U.S. law enforcement, alongside laundering its infrastructure through account muling and establishing a rotating network of clean front companies. This criminal network has reportedly caused over $200 million in losses globally, primarily through sophisticated scams such as pig-butchering and fraudulent virtual currency schemes, averaging $150,000 in losses per victim.", "modified": "2026-04-17T19:10:23.886000", "created": "2026-04-17T19:10:23.886000", "tags": [ "triad nexus", "cname", "cname chain", "funnull", "cname domain", "lookup", "amazon", "funnull cdn", "silent push", "amazon ips", "april", "nexus", "front", "bank", "june", "tiffany", "tools", "global", "tron", "error", "silent", "push" ], "references": [ "https://www.silentpush.com/blog/triad-nexus-funnull-2026/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568.001", "name": "Fast Flux DNS", "display_name": "T1568.001 - Fast Flux DNS" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" } ], "industries": [ "Retail", "Technology", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "46 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6839b1d4a769248f612ef18b", "name": "Infrastructure Used to Manage Domains Related to Cryptocurrency Investment Fraud Scams", "description": "The Federal Bureau of Investigation (FBI) is releasing a FLASH to disseminate indicators of malicious cyber activities linked to Funnull Technology Inc (Funnull) and other illicit activities, commonly known as \"pig butchering\".\n\nOFAC\u2019s designation includes two digital currency addresses associated with Funnull TechnologyInc.:\n-- Ethereum (ETH): 0xd5ED34b52AC4ab84d8FA8A231a3218bbF01Ed510\n-- TRON (TRX): TNmRfnSUXZoWWzxcDDbf95eGQYXt1mJDt8\n\nKnown physical address to OFAC:\n--14th Floor, Net Cube Center, E-Square, 30th Street, Zone Avenue 3rd, Taguig City, 1634, Philippines", "modified": "2025-05-30T13:31:26.340000", "created": "2025-05-30T13:25:40.644000", "tags": [], "references": [ "https://www.ic3.gov/CSA/2025/250529.pdf" ], "public": 1, "adversary": "China", "targeted_countries": [ "Philippines", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "drexx001", "id": "111525", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111525/resized/80/avatar_9da3d8ccf1.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 213, "hostname": 200 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "funnull301.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "funnull301.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780459621.0824144 }