{ "type": "Domain", "indicator": "gitcode.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gitcode.net", "alexa": "http://www.alexa.com/siteinfo/gitcode.net", "indicator": "gitcode.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3600795228, "indicator": "gitcode.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ebb98b4b2b8d00a5096ad", "name": "IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-20T06:56:24.887000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936548fa81a14eb0a64aa46", "name": "PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "", "modified": "2025-12-20T06:00:23.758000", "created": "2025-12-08T04:31:11.779000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "691ebb98b4b2b8d00a5096ad", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668f0708d010906eac35aa7c", "name": "AS138915 Kaopu Cloud HK Limited", "description": "", "modified": "2025-02-15T18:14:14.727000", "created": "2024-07-10T22:11:20.137000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4042, "hostname": 2913 }, "indicator_count": 6956, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf", "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex" ], "malware_families": [ "Slowstepper" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ebb98b4b2b8d00a5096ad", "name": "IOC - PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "ESET researchers provide insights into how PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented network implant that we have named EdgeStepper, which redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.", "modified": "2025-12-20T06:00:23.758000", "created": "2025-11-20T06:56:24.887000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6936548fa81a14eb0a64aa46", "name": "PlushDaemon compromises network devices for adversary-in-the-middle attacks", "description": "", "modified": "2025-12-20T06:00:23.758000", "created": "2025-12-08T04:31:11.779000", "tags": [ "slowstepper c", "c server", "filename eset", "slowstepper", "description", "python", "server", "ipany software", "installer dll", "dll tool" ], "references": [ "https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SlowStepper", "display_name": "SlowStepper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "691ebb98b4b2b8d00a5096ad", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 5, "FileHash-SHA1": 19, "FileHash-SHA256": 5, "domain": 4, "hostname": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668f0708d010906eac35aa7c", "name": "AS138915 Kaopu Cloud HK Limited", "description": "", "modified": "2025-02-15T18:14:14.727000", "created": "2024-07-10T22:11:20.137000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4042, "hostname": 2913 }, "indicator_count": 6956, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63993b596868838805a8f244", "name": "widevinecdm.dll - Supply chain", "description": "", "modified": "2023-01-13T02:00:12.152000", "created": "2022-12-14T02:56:25.758000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/db695a96adb70d5f6246273f4e6c218b2c44f02b3726c3dee4d56b6428bb0ddf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1880, "email": 28, "domain": 1202, "URL": 3432, "CIDR": 1, "FileHash-MD5": 90, "FileHash-SHA1": 56, "FileHash-SHA256": 4101 }, "indicator_count": 10790, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gitcode.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gitcode.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236707.4931624 }