{ "type": "Domain", "indicator": "gettemplate.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gettemplate.org", "alexa": "http://www.alexa.com/siteinfo/gettemplate.org", "indicator": "gettemplate.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3599563745, "indicator": "gettemplate.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "639790b0e50eb2f180c1fda1", "name": "Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine", "description": "Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group\u2019s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group\u2019s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.", "modified": "2023-01-11T19:00:29.091000", "created": "2022-12-12T20:35:59.380000", "tags": [ "powershower", "cloud atlas", "russia", "ukraine", "belarus", "moldova", "powershell", "phishing", "social engineering", "maldoc", "powershell", "opendrive" ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "Cloud Atlas", "targeted_countries": [ "Ukraine", "Belarus", "Russian Federation", "Moldova, Republic of" ], "malware_families": [ { "id": "PowerShower", "display_name": "PowerShower", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Foreign Affairs", "Industrial", "Political", "Government", "Diplomatic", "Transportation", "Energy", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 488, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "CVE": 2, "domain": 8 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644319b5eab89dd2d173acce", "name": "InQuest - 21-04-2023", "description": "", "modified": "2023-04-21T23:18:13.649000", "created": "2023-04-21T23:18:13.649000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "URL": 2084, "domain": 345, "hostname": 1636, "FileHash-SHA256": 112, "FileHash-MD5": 27, "FileHash-SHA1": 16 }, "indicator_count": 4284, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6441c843401f0071091109a1", "name": "InQuest - 20-04-2023", "description": "", "modified": "2023-04-20T23:18:24.876000", "created": "2023-04-20T23:18:24.876000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 57, "FileHash-SHA1": 14, "hostname": 1727, "URL": 2116, "domain": 291, "FileHash-SHA256": 88, "FileHash-MD5": 17 }, "indicator_count": 4310, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639703021a5f65ee98a37b26", "name": "Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine - Check Point Research", "description": "A detailed report on the activities of the Russian-led cyber-espionage group, Cloud Atlas, from 2022-2021, and the ongoing war in Ukraine and Transnistrian Moldova.", "modified": "2023-01-11T10:01:27.819000", "created": "2022-12-12T10:31:30.485000", "tags": [ "powershower", "cloud atlas", "russia", "ukraine", "belarus", "ttps", "donetsk", "pe file", "atlas", "moldova", "june", "example", "powershell", "february", "cloudatlas", "cve201711882", "path", "virustotal", "anydesk", "python" ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerShower", "display_name": "PowerShower", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Social Engineering", "Technology", "Foreign Affairs", "Electronics", "Military", "Transportation", "Industrial", "Political", "Critical Infrastructure", "Energy", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "CVE": 2, "domain": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6396e9c3f6fc44f438221481", "name": "APT Cloud Atlas: Unbroken Threat", "description": "Ucraina #165: Red October prende di mira entit\u00e0 russe e bielorusse", "modified": "2023-01-11T08:01:06.278000", "created": "2022-12-12T08:43:47.498000", "tags": [ "Red October" ], "references": [ "2649976.misp-json", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/", "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 51, "FileHash-SHA256": 38, "FileHash-SHA1": 38 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/", "2649976.misp-json", "https://labs.inquest.net/iocdb", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/" ], "related": { "alienvault": { "adversary": [ "Cloud Atlas" ], "malware_families": [ "Powershower" ], "industries": [ "Energy", "Government", "Industrial", "Transportation", "Defense", "Foreign affairs", "Diplomatic", "Political" ] }, "other": { "adversary": [], "malware_families": [ "Powershower" ], "industries": [ "Energy", "Military", "Government", "Transportation", "Industrial", "Social engineering", "Critical infrastructure", "Technology", "Foreign affairs", "Diplomatic", "Political", "Electronics" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "639790b0e50eb2f180c1fda1", "name": "Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine", "description": "Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group\u2019s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group\u2019s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.", "modified": "2023-01-11T19:00:29.091000", "created": "2022-12-12T20:35:59.380000", "tags": [ "powershower", "cloud atlas", "russia", "ukraine", "belarus", "moldova", "powershell", "phishing", "social engineering", "maldoc", "powershell", "opendrive" ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "Cloud Atlas", "targeted_countries": [ "Ukraine", "Belarus", "Russian Federation", "Moldova, Republic of" ], "malware_families": [ { "id": "PowerShower", "display_name": "PowerShower", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Foreign Affairs", "Industrial", "Political", "Government", "Diplomatic", "Transportation", "Energy", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 488, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "CVE": 2, "domain": 8 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386711, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644319b5eab89dd2d173acce", "name": "InQuest - 21-04-2023", "description": "", "modified": "2023-04-21T23:18:13.649000", "created": "2023-04-21T23:18:13.649000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 64, "URL": 2084, "domain": 345, "hostname": 1636, "FileHash-SHA256": 112, "FileHash-MD5": 27, "FileHash-SHA1": 16 }, "indicator_count": 4284, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6441c843401f0071091109a1", "name": "InQuest - 20-04-2023", "description": "", "modified": "2023-04-20T23:18:24.876000", "created": "2023-04-20T23:18:24.876000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 57, "FileHash-SHA1": 14, "hostname": 1727, "URL": 2116, "domain": 291, "FileHash-SHA256": 88, "FileHash-MD5": 17 }, "indicator_count": 4310, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "639703021a5f65ee98a37b26", "name": "Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine - Check Point Research", "description": "A detailed report on the activities of the Russian-led cyber-espionage group, Cloud Atlas, from 2022-2021, and the ongoing war in Ukraine and Transnistrian Moldova.", "modified": "2023-01-11T10:01:27.819000", "created": "2022-12-12T10:31:30.485000", "tags": [ "powershower", "cloud atlas", "russia", "ukraine", "belarus", "ttps", "donetsk", "pe file", "atlas", "moldova", "june", "example", "powershell", "february", "cloudatlas", "cve201711882", "path", "virustotal", "anydesk", "python" ], "references": [ "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Belarus", "Russian Federation" ], "malware_families": [ { "id": "PowerShower", "display_name": "PowerShower", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Social Engineering", "Technology", "Foreign Affairs", "Electronics", "Military", "Transportation", "Industrial", "Political", "Critical Infrastructure", "Energy", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "CVE": 2, "domain": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6396e9c3f6fc44f438221481", "name": "APT Cloud Atlas: Unbroken Threat", "description": "Ucraina #165: Red October prende di mira entit\u00e0 russe e bielorusse", "modified": "2023-01-11T08:01:06.278000", "created": "2022-12-12T08:43:47.498000", "tags": [ "Red October" ], "references": [ "2649976.misp-json", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/", "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 51, "FileHash-SHA256": 38, "FileHash-SHA1": 38 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gettemplate.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gettemplate.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780332378.9995267 }