{ "type": "Domain", "indicator": "github-scanner.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/github-scanner.com", "alexa": "http://www.alexa.com/siteinfo/github-scanner.com", "indicator": "github-scanner.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3977387243, "indicator": "github-scanner.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "673b4d7444eb18d613635395", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "The ClickFix social engineering technique, which tricks users into copying and running malicious PowerShell commands, has become increasingly prevalent across the threat landscape. Initially observed in campaigns by TA571 and ClearFake, it is now used by multiple threat actors to deliver various malware types. The technique often employs fake error messages or CAPTCHA checks to deceive users. Recent examples include GitHub notification impersonations delivering Lumma Stealer, Swiss-targeted campaigns distributing AsyncRAT, fake software updates deploying NetSupport RAT, and ChatGPT-themed malvertising delivering XWorm. The technique's popularity stems from its effectiveness in bypassing security measures by exploiting users' desire to resolve issues independently.", "modified": "2024-12-18T14:00:57.423000", "created": "2024-11-18T14:21:40.975000", "tags": [ "malware delivery", "cybersecurity", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "threat actors", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Transportation", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 77, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376726, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673b3777fec02b9049e4aa52", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are employing ClickFix through compromised websites, documents, HTML attachments, and malicious URLs. Recent campaigns have included GitHub security vulnerability notifications, Swiss e-commerce marketplace impersonations, fake software updates, and ChatGPT-themed malvertising. The technique has been observed delivering various malware, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport. The popularity of ClickFix is attributed to its effectiveness in bypassing security protections by exploiting users' desire to be helpful and independent.", "modified": "2024-12-18T12:03:01.372000", "created": "2024-11-18T12:47:51.286000", "tags": [ "malware delivery", "threat landscape", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "phishing", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Transportation", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376725, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6341d1aa0a02a3f6251ab540", "name": "Sinking Yachts Phishing Domains", "description": "Sinking Yachts is a Discord based anti-phishing project founded by @nwunder. This project focuses on collecting and flagging domains that are running phishing scams against Discord or Steam, which are often spread with scam messages from compromised accounts. This collection mirrors the entire database and is updated in real time. Website: https://sinking.yachts API: https://phish.sinking.yachts Discord: https://discord.gg/cT6eQjWW8H (temporarily closed) Need to get in touch? Please email admin@fishfish.gg.", "modified": "2026-04-14T19:52:52.999000", "created": "2022-10-08T19:38:18.341000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": null, "export_count": 75564, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "__akac__", "id": "175104", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_175104/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 660 }, "indicator_count": 1374, "is_author": false, "is_subscribing": null, "subscriber_count": 517, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69aefcc5d258300fb3e319e4", "name": "sinking yachts clone __akac__ ....", "description": "", "modified": "2026-04-14T19:52:52.999000", "created": "2026-03-09T17:00:53.305000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": "6341d1aa0a02a3f6251ab540", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 660 }, "indicator_count": 1374, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69aefcc810c78c89c7f6bb87", "name": "sinking yachts clone __akac__ ....", "description": "", "modified": "2026-04-14T19:52:52.999000", "created": "2026-03-09T17:00:56.488000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": "6341d1aa0a02a3f6251ab540", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 661 }, "indicator_count": 1375, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-04-14T07:01:38.290000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 157519, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 147520, "domain": 345200 }, "indicator_count": 492720, "is_author": false, "is_subscribing": null, "subscriber_count": 454, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6785dccb041b628fde283705", "name": "phish.directory", "description": "phish.directory, a community-driven anti-phishing tool. Helping catch, prevent, and catalog phishing links & attempts.\n\nsee our website at https://phish.directory", "modified": "2026-01-25T18:05:17.629000", "created": "2025-01-14T03:40:59.456000", "tags": [ "phishing", "scams", "steam", "discord", "roblox" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaspermayone", "id": "305022", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 41514, "hostname": 11318 }, "indicator_count": 52832, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676c6a9534b2c6b35936ae5f", "name": "Phishing Army Blocklist Extended", "description": "", "modified": "2024-12-25T20:27:00.473000", "created": "2024-12-25T20:27:00.473000", "tags": [], "references": [ "https://phishing.army/download/phishing_army_blocklist_extended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6491, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 132719, "hostname": 128543 }, "indicator_count": 267758, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "475 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673c906dfcbf8f74c5261599", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at the \u00c2\u00a31.5bn (1bn euros) conference in New York, which is being held this week.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:19:41.117000", "tags": [ "proofpoint", "clickfix", "powershell", "html", "github", "clearfake", "september", "brute ratel", "ta571", "captcha", "asyncrat", "lumma stealer", "phish", "august", "ukraine", "xworm", "danabot", "darkgate", "verify", "agent", "aresloader", "purelog", "ta578", "ta579", "lumma", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "ClickFix", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Proofpoint", "display_name": "Proofpoint", "target": null }, { "id": "PureLog", "display_name": "PureLog", "target": null }, { "id": "TA578", "display_name": "TA578", "target": null }, { "id": "TA579", "display_name": "TA579", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 6, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6747ae5423483853dd03a506", "name": "ClickFix Baddys via RussianPanda's Workflow", "description": "https://malasada.tech/clickfix-baddys-via-russianpandas-workflow/", "modified": "2024-11-27T23:42:12.555000", "created": "2024-11-27T23:42:12.555000", "tags": [ "ClickFix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "hostname": 8 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "503 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fc82dea97f8a975e6ec46a", "name": "InQuest - 01-10-2024", "description": "", "modified": "2024-10-31T23:03:07.473000", "created": "2024-10-01T23:16:46.447000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "URL": 176, "hostname": 26, "domain": 69, "FileHash-SHA256": 116, "FileHash-SHA1": 11 }, "indicator_count": 543, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66fb300ca9c368b09a283346", "name": "InQuest - 30-09-2024", "description": "", "modified": "2024-10-30T23:01:43.623000", "created": "2024-09-30T23:11:08.550000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 98, "URL": 234, "domain": 86, "FileHash-SHA256": 93, "FileHash-SHA1": 21, "hostname": 46 }, "indicator_count": 578, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f9aeff2d03baeab048999c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 29-09-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2024-10-29T19:03:15.889000", "created": "2024-09-29T19:48:15.170000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://www.virustotal.com/graph/embed/g7d7074ccf4734ca7b2f24ee7f2c4b7c6a06b0a63e14c4010b93967adb2fae722?theme=light", "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.alertasyseguridad.net/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 242, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 262 }, "indicator_count": 522, "is_author": false, "is_subscribing": null, "subscriber_count": 269, "modified_text": "532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ee01db3bae6406007e82b6", "name": "URLHaus data - 20-09-2024", "description": "", "modified": "2024-10-20T23:05:22.638000", "created": "2024-09-20T23:14:35.945000", "tags": [ "32-bit", "elf", "mips", "Mozi", "dropped-by-PrivateLoader", "encrypted", "exe", "ps1", "cmd", "dll", "Stealc", "opendir", "bazaloader", "bruteratel", "Latrodectus", "msi", "hidakibest", "gafgyt", "sh", "Yakuza", "mirai", "ofc", "offon", "mixbot", "nbot", "arm", "SocGholish", "botnetdomain", "proxy", "ua-wget", "sora", "AikoStress", "killua", "netcat", "CoinMiner", "ladvix", "gz", "Cleanlog", "hacktool", "rootkit", "CVE-2016-5195", "DirtyCow", "bruteforce", "NanoMiner", "hoho", "dvr", "zip", "GorillaBotnet", "c2", ".net", "banker", "JanelaRat", "latam", "trojan", "redtail", "MarsStealer", "xworm", "CVE-2017-17215", "HailBot", "x86-32", "Socks5Systemz", "criptonize", "ddos", "shellscript", "Vidar" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 9, "hostname": 6 }, "indicator_count": 1015, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "541 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f4369c8c456fad7f796ad2", "name": "Behind the CAPTCHA: A Clever Gateway of Malware (URLs) - McAfee post", "description": "Scanner only picked up hashes, as URLs were sanitized[.] Added the domain/URLs for this pulse.\nFrom: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/", "modified": "2024-09-25T16:13:16.579000", "created": "2024-09-25T16:13:16.579000", "tags": [ "malicious urls", "Lumma Stealer" ], "references": [ "Captcha_Lumma_URL_IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "domain": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "566 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/g7d7074ccf4734ca7b2f24ee7f2c4b7c6a06b0a63e14c4010b93967adb2fae722?theme=light", "https://www.alertasyseguridad.net/repositorio-ioc/", "Captcha_Lumma_URL_IOCs.csv", "https://phishing.army/download/phishing_army_blocklist_extended.txt", "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape", "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape", "https://labs.inquest.net/iocdb", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Danabot", "Netsupport", "Latrodectus", "Brute ratel c4", "Lucky volunteer", "Lumma stealer", "Asyncrat", "Xworm", "Darkgate" ], "industries": [ "Logistics", "Government", "Technology", "Transportation" ] }, "other": { "adversary": [ "ClickFix" ], "malware_families": [ "Ta579", "Lumma", "Proofpoint", "Netsupport", "Purelog", "Lumma stealer", "Ta578", "Clickfix" ], "industries": [ "Government", "Higher education", "Gaming" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "673b4d7444eb18d613635395", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "The ClickFix social engineering technique, which tricks users into copying and running malicious PowerShell commands, has become increasingly prevalent across the threat landscape. Initially observed in campaigns by TA571 and ClearFake, it is now used by multiple threat actors to deliver various malware types. The technique often employs fake error messages or CAPTCHA checks to deceive users. Recent examples include GitHub notification impersonations delivering Lumma Stealer, Swiss-targeted campaigns distributing AsyncRAT, fake software updates deploying NetSupport RAT, and ChatGPT-themed malvertising delivering XWorm. The technique's popularity stems from its effectiveness in bypassing security measures by exploiting users' desire to resolve issues independently.", "modified": "2024-12-18T14:00:57.423000", "created": "2024-11-18T14:21:40.975000", "tags": [ "malware delivery", "cybersecurity", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "threat actors", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Transportation", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 77, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376726, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673b3777fec02b9049e4aa52", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are employing ClickFix through compromised websites, documents, HTML attachments, and malicious URLs. Recent campaigns have included GitHub security vulnerability notifications, Swiss e-commerce marketplace impersonations, fake software updates, and ChatGPT-themed malvertising. The technique has been observed delivering various malware, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport. The popularity of ClickFix is attributed to its effectiveness in bypassing security protections by exploiting users' desire to be helpful and independent.", "modified": "2024-12-18T12:03:01.372000", "created": "2024-11-18T12:47:51.286000", "tags": [ "malware delivery", "threat landscape", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "phishing", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Transportation", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376725, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6341d1aa0a02a3f6251ab540", "name": "Sinking Yachts Phishing Domains", "description": "Sinking Yachts is a Discord based anti-phishing project founded by @nwunder. This project focuses on collecting and flagging domains that are running phishing scams against Discord or Steam, which are often spread with scam messages from compromised accounts. This collection mirrors the entire database and is updated in real time. Website: https://sinking.yachts API: https://phish.sinking.yachts Discord: https://discord.gg/cT6eQjWW8H (temporarily closed) Need to get in touch? Please email admin@fishfish.gg.", "modified": "2026-04-14T19:52:52.999000", "created": "2022-10-08T19:38:18.341000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": null, "export_count": 75564, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "__akac__", "id": "175104", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_175104/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 660 }, "indicator_count": 1374, "is_author": false, "is_subscribing": null, "subscriber_count": 517, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69aefcc5d258300fb3e319e4", "name": "sinking yachts clone __akac__ ....", "description": "", "modified": "2026-04-14T19:52:52.999000", "created": "2026-03-09T17:00:53.305000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": "6341d1aa0a02a3f6251ab540", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 660 }, "indicator_count": 1374, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "69aefcc810c78c89c7f6bb87", "name": "sinking yachts clone __akac__ ....", "description": "", "modified": "2026-04-14T19:52:52.999000", "created": "2026-03-09T17:00:56.488000", "tags": [ "discord", "roblox", "steam", "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "gaming" ], "TLP": "white", "cloned_from": "6341d1aa0a02a3f6251ab540", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 714, "hostname": 661 }, "indicator_count": 1375, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "653e8484ba7c285929cb5e0d", "name": "CERT.PL list of malicious domains", "description": "See: https://cert.pl/en/warning-list/\n\n(archived version here: https://web.archive.org/web/20231029161224/https://cert.pl/en/posts/2020/03/malicious_domains/)", "modified": "2026-04-14T07:01:38.290000", "created": "2023-10-29T16:12:52.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 157519, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 147520, "domain": 345200 }, "indicator_count": 492720, "is_author": false, "is_subscribing": null, "subscriber_count": 454, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6785dccb041b628fde283705", "name": "phish.directory", "description": "phish.directory, a community-driven anti-phishing tool. Helping catch, prevent, and catalog phishing links & attempts.\n\nsee our website at https://phish.directory", "modified": "2026-01-25T18:05:17.629000", "created": "2025-01-14T03:40:59.456000", "tags": [ "phishing", "scams", "steam", "discord", "roblox" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaspermayone", "id": "305022", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 41514, "hostname": 11318 }, "indicator_count": 52832, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676c6a9534b2c6b35936ae5f", "name": "Phishing Army Blocklist Extended", "description": "", "modified": "2024-12-25T20:27:00.473000", "created": "2024-12-25T20:27:00.473000", "tags": [], "references": [ "https://phishing.army/download/phishing_army_blocklist_extended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6491, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 132719, "hostname": 128543 }, "indicator_count": 267758, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "475 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673c906dfcbf8f74c5261599", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at the \u00c2\u00a31.5bn (1bn euros) conference in New York, which is being held this week.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:19:41.117000", "tags": [ "proofpoint", "clickfix", "powershell", "html", "github", "clearfake", "september", "brute ratel", "ta571", "captcha", "asyncrat", "lumma stealer", "phish", "august", "ukraine", "xworm", "danabot", "darkgate", "verify", "agent", "aresloader", "purelog", "ta578", "ta579", "lumma", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "ClickFix", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Proofpoint", "display_name": "Proofpoint", "target": null }, { "id": "PureLog", "display_name": "PureLog", "target": null }, { "id": "TA578", "display_name": "TA578", "target": null }, { "id": "TA579", "display_name": "TA579", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 6, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6747ae5423483853dd03a506", "name": "ClickFix Baddys via RussianPanda's Workflow", "description": "https://malasada.tech/clickfix-baddys-via-russianpandas-workflow/", "modified": "2024-11-27T23:42:12.555000", "created": "2024-11-27T23:42:12.555000", "tags": [ "ClickFix" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 147, "hostname": 8 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "503 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "github-scanner.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "github-scanner.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://github-scanner.com//l6E.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-09-20", "tags": [ "exe", "LummaStealer" ] } ], "error": null }, "from_cache": true, "_cached_at": 1776222756.9042757 }