{ "type": "Domain", "indicator": "getsqldeveloper.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/getsqldeveloper.com", "alexa": "http://www.alexa.com/siteinfo/getsqldeveloper.com", "indicator": "getsqldeveloper.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4236956619, "indicator": "getsqldeveloper.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "6a141fcbde28865faa897cb4", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.", "modified": "2026-05-25T10:15:01.309000", "created": "2026-05-25T10:09:15.943000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a170d7c4a1ca44e6bb349ef", "name": "IOC Blocking", "description": "The full text of the full translation of this text, here:.. (full text):. and this page is subject to copyright., and will not be published until further notice,.", "modified": "2026-05-27T15:27:56.634000", "created": "2026-05-27T15:27:56.634000", "tags": [ "hash sha256", "tata", "tata sons", "private limited" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 30, "IPv4": 2, "domain": 14, "URL": 10, "hostname": 16 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a169064e392d2f18a296a21", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "", "modified": "2026-05-27T06:34:12.974000", "created": "2026-05-27T06:34:12.974000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": "6a15279c4b16d60c5707ab1b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15279c4b16d60c5707ab1b", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "", "modified": "2026-05-26T04:54:52.693000", "created": "2026-05-26T04:54:52.693000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": "6a141fcbde28865faa897cb4", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13ae629b15eba085497938", "name": "IOC - Fast and Furious \u2013 Nimbus Manticore Operations During the Iranian Conflict", "description": "During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran\u2019s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts.", "modified": "2026-05-25T02:05:22.491000", "created": "2026-05-25T02:05:22.491000", "tags": [ "sha256" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c08867316c564ade394c69", "name": "PhishDestroy \u2014 Content Active Threats (Live)", "description": "Live feed of phishing and crypto scam domains with ACTIVE malicious content from PhishDestroy. These domains are verified to have live phishing/scam pages. Updated hourly. Source: github.com/phishdestroy/destroylist/dns/content_active.json", "modified": "2026-05-21T12:06:19.702000", "created": "2026-03-23T00:25:09.116000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy", "active", "content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132502, "hostname": 66217 }, "indicator_count": 198719, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cb0ce73bef5c452bfb0", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:04.332000", "created": "2026-05-04T06:29:04.332000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83caf1bef3609f0eb79e2", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:03.120000", "created": "2026-05-04T06:29:03.120000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cac7d6c947de6c080f9", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:00.417000", "created": "2026-05-04T06:29:00.417000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab9769e92b3285a2b4", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.770000", "created": "2026-05-04T06:28:59.770000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab7e03b19c5f1078e3", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.113000", "created": "2026-05-04T06:28:59.113000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83ca9411c8ab5d294a7e2", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:57.479000", "created": "2026-05-04T06:28:57.479000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83ca77d6c947de6c080f8", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:55.093000", "created": "2026-05-04T06:28:55.093000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/", "IOCs-MAY4.csv" ], "related": { "alienvault": { "adversary": [ "Nimbus Manticore" ], "malware_families": [ "Minijunk", "Minifast" ], "industries": [ "Telecommunications", "Defense", "Technology", "Aviation" ] }, "other": { "adversary": [ "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "Nimbus Manticore" ], "malware_families": [ "Minijunk", "Minifast" ], "industries": [ "Telecommunications", "Defense", "Technology", "Aviation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "6a141fcbde28865faa897cb4", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.", "modified": "2026-05-25T10:15:01.309000", "created": "2026-05-25T10:09:15.943000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552092, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "17 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1814b55e1559397600e7f7", "name": "EbeeMay2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-28T10:11:01.506000", "created": "2026-05-28T10:11:01.506000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "redacted", "ipv62a12", "ipv62a03", "localappdata", "cve20234966 cve", "cve20136282 cve", "cve20132597 cve" ], "references": [ "IOCs-MAY4.csv" ], "public": 1, "adversary": "RemotePE, ClayRat, Nimbus Manticore, SonicWall SSL VPN exploitation, ModeloRAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 79, "URL": 57, "CIDR": 3, "CVE": 15, "FileHash-MD5": 151, "FileHash-SHA1": 113, "FileHash-SHA256": 164, "domain": 137, "email": 4, "hostname": 47 }, "indicator_count": 770, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a170d7c4a1ca44e6bb349ef", "name": "IOC Blocking", "description": "The full text of the full translation of this text, here:.. (full text):. and this page is subject to copyright., and will not be published until further notice,.", "modified": "2026-05-27T15:27:56.634000", "created": "2026-05-27T15:27:56.634000", "tags": [ "hash sha256", "tata", "tata sons", "private limited" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 30, "IPv4": 2, "domain": 14, "URL": 10, "hostname": 16 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a169064e392d2f18a296a21", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "", "modified": "2026-05-27T06:34:12.974000", "created": "2026-05-27T06:34:12.974000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": "6a15279c4b16d60c5707ab1b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a15279c4b16d60c5707ab1b", "name": "Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict", "description": "", "modified": "2026-05-26T04:54:52.693000", "created": "2026-05-26T04:54:52.693000", "tags": [ "operation epic fury", "minifast", "minijunk", "seo poisoning", "nimbus manticore", "appdomain hijacking" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "Nimbus Manticore", "targeted_countries": [ "United States of America", "Australia", "Saudi Arabia", "Israel", "United Arab Emirates" ], "malware_families": [ { "id": "MiniFast", "display_name": "MiniFast", "target": null }, { "id": "MiniJunk", "display_name": "MiniJunk", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Aviation", "Technology", "Defense", "Telecommunications" ], "TLP": "white", "cloned_from": "6a141fcbde28865faa897cb4", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13ae629b15eba085497938", "name": "IOC - Fast and Furious \u2013 Nimbus Manticore Operations During the Iranian Conflict", "description": "During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran\u2019s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts.", "modified": "2026-05-25T02:05:22.491000", "created": "2026-05-25T02:05:22.491000", "tags": [ "sha256" ], "references": [ "https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 4 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c08867316c564ade394c69", "name": "PhishDestroy \u2014 Content Active Threats (Live)", "description": "Live feed of phishing and crypto scam domains with ACTIVE malicious content from PhishDestroy. These domains are verified to have live phishing/scam pages. Updated hourly. Source: github.com/phishdestroy/destroylist/dns/content_active.json", "modified": "2026-05-21T12:06:19.702000", "created": "2026-03-23T00:25:09.116000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy", "active", "content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132502, "hostname": 66217 }, "indicator_count": 198719, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cb0ce73bef5c452bfb0", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:04.332000", "created": "2026-05-04T06:29:04.332000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "getsqldeveloper.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "getsqldeveloper.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173553.7545693 }