{ "type": "Domain", "indicator": "gameupdate-endpoint.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gameupdate-endpoint.com", "alexa": "http://www.alexa.com/siteinfo/gameupdate-endpoint.com", "indicator": "gameupdate-endpoint.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4063390013, "indicator": "gameupdate-endpoint.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68cd1af4dafcfd20ae92b395", "name": "CountLoader: New Malware Loader Being Served in 3 Different Versions", "description": "A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.", "modified": "2025-10-19T10:01:53.290000", "created": "2025-09-19T08:57:24.237000", "tags": [ "adaptixc2", "malware loader", "purehvnc", "lumma stealer", "phishing", "jscript", "initial access broker", ".net", "cobaltstrike", "ukraine", "countloader", "powershell", "ransomware", "evasion techniques" ], "references": [ "https://www.silentpush.com/blog/countloader" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "CountLoader", "display_name": "CountLoader", "target": null }, { "id": "CobaltStrike", "display_name": "CobaltStrike", "target": null }, { "id": "AdaptixC2", "display_name": "AdaptixC2", "target": null }, { "id": "PureHVNC", "display_name": "PureHVNC", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 602, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "domain": 11, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386554, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e4307a059dee6d1ade4ed", "name": "lumma", "description": "", "modified": "2026-01-04T22:52:50.774000", "created": "2025-06-03T00:34:15.050000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 22, "FileHash-SHA256": 90, "URL": 550, "domain": 380, "hostname": 33 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ccfa33c2b5c9cc8717806f", "name": "CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions.", "description": "Silent Push has identified a new malware loader named \"CountLoader,\" linked to various Russian ransomware gangs. This evolving threat has been observed in three distinct versions\u2014.NET, PowerShell, and JScript. CountLoader's deployment has been particularly notable in a recent phishing campaign that targeted individuals in Ukraine by masquerading as the Ukrainian police, further indicating its connection to Russian threat actors.\n\nDuring the investigation, analysts found that CountLoader communicates through domains employing a unique pattern, specifically using the \"/api/getFile?fn=\" path. Initial analysis showed that the JScript variant of CountLoader stands out as the most functional and advanced, featuring around 850 lines of code and delivered to victims as an obfuscated .hta file. Upon execution, this version checks if it has already initialized on the target system by verifying the execution URL.", "modified": "2025-10-19T06:05:57.420000", "created": "2025-09-19T06:37:39.870000", "tags": [ "countloader", "cobalt strike", "c2 server", "silent push", "blackbasta", "iofa", "virustotal", "jscript version", "powershell", "jscript", "lockbit", "ukraine", "june", "attack", "loader", "august", "push", "music", "cobaltstrike", "assembly", "cobalt", "lumma stealer", "qilin", "filename sha256", "malware c2", "c2 https", "strike" ], "references": [ "https://www.silentpush.com/blog/countloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "CVE": 1, "URL": 3, "domain": 15, "hostname": 3 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68325ea4adf5fee6066840cf", "name": "Twitter Feed - skocherhan - 24-05-2025", "description": "", "modified": "2025-06-24T00:00:59.539000", "created": "2025-05-25T00:04:52.367000", "tags": [ "phishing", "APT", "malware", "stealer", "Formbook", "Kimsuky", "CobaltStrike", "C2" ], "references": [ "https://x.com/skocherhan/status/1926072685538254952", "https://x.com/skocherhan/status/1926112454703980746", "https://x.com/skocherhan/status/1926115551098581374", "https://x.com/skocherhan/status/1926118764669456446", "https://x.com/skocherhan/status/1926120484338352492", "https://x.com/skocherhan/status/1926131000049860735", "https://x.com/skocherhan/status/1926146456747958589", "https://x.com/skocherhan/status/1926152653542715411", "https://x.com/skocherhan/status/1926160635227713887", "https://x.com/skocherhan/status/1926161765512986644", "https://x.com/skocherhan/status/1926165829881585801", "https://x.com/skocherhan/status/1926169395090301031", "https://x.com/skocherhan/status/1926170864724107555", "https://x.com/skocherhan/status/1926171053081919758", "https://x.com/skocherhan/status/1926178233684292075", "https://x.com/skocherhan/status/1926189397684138464", "https://x.com/skocherhan/status/1926197987702648842", "https://x.com/skocherhan/status/1926216574031024592", "https://x.com/skocherhan/status/1926229346194215061", "https://x.com/skocherhan/status/1926318221830782992", "https://x.com/skocherhan/status/1926332092482257037" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 37, "hostname": 12, "FileHash-MD5": 14 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "341 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680d6c2c94a1ca119e7dfdf5", "name": "Twitter Feed - SquiblydooBlog - 26-04-2025", "description": "", "modified": "2025-04-26T23:28:44.655000", "created": "2025-04-26T23:28:44.655000", "tags": [], "references": [ "https://x.com/SquiblydooBlog/status/1916044910966542743", "https://x.com/SquiblydooBlog/status/1916098169521508592" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1, "FileHash-MD5": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "399 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/skocherhan/status/1926178233684292075", "https://x.com/skocherhan/status/1926072685538254952", "https://x.com/skocherhan/status/1926160635227713887", "https://x.com/skocherhan/status/1926120484338352492", "https://x.com/skocherhan/status/1926332092482257037", "https://x.com/skocherhan/status/1926229346194215061", "https://x.com/skocherhan/status/1926197987702648842", "https://x.com/skocherhan/status/1926216574031024592", "https://x.com/skocherhan/status/1926131000049860735", "https://x.com/SquiblydooBlog/status/1916098169521508592", "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/", "https://x.com/skocherhan/status/1926170864724107555", "https://x.com/skocherhan/status/1926189397684138464", "https://x.com/skocherhan/status/1926161765512986644", "https://x.com/skocherhan/status/1926171053081919758", "https://x.com/skocherhan/status/1926318221830782992", "https://www.silentpush.com/blog/countloader/", "https://x.com/SquiblydooBlog/status/1916044910966542743", "https://x.com/skocherhan/status/1926152653542715411", "https://x.com/skocherhan/status/1926146456747958589", "https://x.com/skocherhan/status/1926118764669456446", "https://www.silentpush.com/blog/countloader", "https://x.com/skocherhan/status/1926112454703980746", "https://x.com/skocherhan/status/1926165829881585801", "https://x.com/skocherhan/status/1926169395090301031", "https://x.com/skocherhan/status/1926115551098581374" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Countloader", "Adaptixc2", "Purehvnc", "Cobaltstrike", "Lumma stealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68cd1af4dafcfd20ae92b395", "name": "CountLoader: New Malware Loader Being Served in 3 Different Versions", "description": "A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, BlackBasta, and Qilin groups. CountLoader was recently employed in a phishing campaign targeting Ukrainian citizens, impersonating the Ukrainian police. The loader attempts to connect to multiple C2 servers, downloads and executes various malware payloads, and uses advanced techniques to evade detection. It has been observed dropping CobaltStrike and AdaptixC2, among other malicious tools. The malware's functionality includes system information gathering, persistence mechanisms, and multiple download methods.", "modified": "2025-10-19T10:01:53.290000", "created": "2025-09-19T08:57:24.237000", "tags": [ "adaptixc2", "malware loader", "purehvnc", "lumma stealer", "phishing", "jscript", "initial access broker", ".net", "cobaltstrike", "ukraine", "countloader", "powershell", "ransomware", "evasion techniques" ], "references": [ "https://www.silentpush.com/blog/countloader" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "CountLoader", "display_name": "CountLoader", "target": null }, { "id": "CobaltStrike", "display_name": "CobaltStrike", "target": null }, { "id": "AdaptixC2", "display_name": "AdaptixC2", "target": null }, { "id": "PureHVNC", "display_name": "PureHVNC", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 602, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "domain": 11, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386554, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "111 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683e4307a059dee6d1ade4ed", "name": "lumma", "description": "", "modified": "2026-01-04T22:52:50.774000", "created": "2025-06-03T00:34:15.050000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 31, "FileHash-SHA1": 22, "FileHash-SHA256": 90, "URL": 550, "domain": 380, "hostname": 33 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f574fc4d9aa9a815a658c", "name": "Finding Related Fake \"DMCA Takedown\" Domains with Validin.", "description": "On November 5, 2025, several prominent YouTube content creators experienced an attack involving fake DMCA takedown notices that led to malicious downloads. The domain prominently associated with this scam was http://dmca-security.com, which acted as the initial phishing site. Cybersecurity analysts, including Tanner and John Hammond, investigated this domain to uncover related malicious infrastructure and gather relevant indicators of compromise (IoCs). Analysis of the phishing domain revealed connections to additional domains and IP addresses, focusing on pivoting techniques in DNS history to trace the threat. Specifically, the IP address 101.99.92[.]246 was identified as being utilized shortly after the phishing domain's registration. This indicates a potentially organized effort by the threat actors to quickly establish a network of malicious domains.", "modified": "2025-12-08T14:05:40.882000", "created": "2025-11-08T14:44:31.092000", "tags": [ "validin", "copy code", "dmca", "ip address", "wbmmfq", "john hammond", "dns history", "youtube", "august", "pivots", "april", "contact" ], "references": [ "https://www.validin.com/blog/fake_dmca_notice_scam_hunting/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "URL": 3, "domain": 102, "hostname": 6 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ccfa33c2b5c9cc8717806f", "name": "CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions.", "description": "Silent Push has identified a new malware loader named \"CountLoader,\" linked to various Russian ransomware gangs. This evolving threat has been observed in three distinct versions\u2014.NET, PowerShell, and JScript. CountLoader's deployment has been particularly notable in a recent phishing campaign that targeted individuals in Ukraine by masquerading as the Ukrainian police, further indicating its connection to Russian threat actors.\n\nDuring the investigation, analysts found that CountLoader communicates through domains employing a unique pattern, specifically using the \"/api/getFile?fn=\" path. Initial analysis showed that the JScript variant of CountLoader stands out as the most functional and advanced, featuring around 850 lines of code and delivered to victims as an obfuscated .hta file. Upon execution, this version checks if it has already initialized on the target system by verifying the execution URL.", "modified": "2025-10-19T06:05:57.420000", "created": "2025-09-19T06:37:39.870000", "tags": [ "countloader", "cobalt strike", "c2 server", "silent push", "blackbasta", "iofa", "virustotal", "jscript version", "powershell", "jscript", "lockbit", "ukraine", "june", "attack", "loader", "august", "push", "music", "cobaltstrike", "assembly", "cobalt", "lumma stealer", "qilin", "filename sha256", "malware c2", "c2 https", "strike" ], "references": [ "https://www.silentpush.com/blog/countloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 8, "CVE": 1, "URL": 3, "domain": 15, "hostname": 3 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68325ea4adf5fee6066840cf", "name": "Twitter Feed - skocherhan - 24-05-2025", "description": "", "modified": "2025-06-24T00:00:59.539000", "created": "2025-05-25T00:04:52.367000", "tags": [ "phishing", "APT", "malware", "stealer", "Formbook", "Kimsuky", "CobaltStrike", "C2" ], "references": [ "https://x.com/skocherhan/status/1926072685538254952", "https://x.com/skocherhan/status/1926112454703980746", "https://x.com/skocherhan/status/1926115551098581374", "https://x.com/skocherhan/status/1926118764669456446", "https://x.com/skocherhan/status/1926120484338352492", "https://x.com/skocherhan/status/1926131000049860735", "https://x.com/skocherhan/status/1926146456747958589", "https://x.com/skocherhan/status/1926152653542715411", "https://x.com/skocherhan/status/1926160635227713887", "https://x.com/skocherhan/status/1926161765512986644", "https://x.com/skocherhan/status/1926165829881585801", "https://x.com/skocherhan/status/1926169395090301031", "https://x.com/skocherhan/status/1926170864724107555", "https://x.com/skocherhan/status/1926171053081919758", "https://x.com/skocherhan/status/1926178233684292075", "https://x.com/skocherhan/status/1926189397684138464", "https://x.com/skocherhan/status/1926197987702648842", "https://x.com/skocherhan/status/1926216574031024592", "https://x.com/skocherhan/status/1926229346194215061", "https://x.com/skocherhan/status/1926318221830782992", "https://x.com/skocherhan/status/1926332092482257037" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 37, "hostname": 12, "FileHash-MD5": 14 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "341 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680d6c2c94a1ca119e7dfdf5", "name": "Twitter Feed - SquiblydooBlog - 26-04-2025", "description": "", "modified": "2025-04-26T23:28:44.655000", "created": "2025-04-26T23:28:44.655000", "tags": [], "references": [ "https://x.com/SquiblydooBlog/status/1916044910966542743", "https://x.com/SquiblydooBlog/status/1916098169521508592" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1, "FileHash-MD5": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "399 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gameupdate-endpoint.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gameupdate-endpoint.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://gameupdate-endpoint.com/uipTpCSS/f.het", "status": "offline", "threat": "malware_download", "date_added": "2025-06-03", "tags": [] }, { "url": "http://gameupdate-endpoint.com/api/getFile?fn=123.hta", "status": "offline", "threat": "malware_download", "date_added": "2025-04-26", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780250290.5967515 }