{ "type": "Domain", "indicator": "githubapp.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/githubapp.net", "alexa": "http://www.alexa.com/siteinfo/githubapp.net", "indicator": "githubapp.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2631165817, "indicator": "githubapp.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386652, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cf2f70a15e0a6421a9fd21", "name": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations", "description": "This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.", "modified": "2024-09-27T14:04:14.736000", "created": "2024-08-28T14:08:48.146000", "tags": [ "cve-2024-24919", "blackcat", "alphv", "cve-2024-3400", "credential-theft", "state-sponsored", "cve-2022-1388", "cve-2024-21887", "ransomware", "noberus", "iran", "ransomhouse", "cve-2019-19781", "webshells", "cve-2023-3519", "noescape" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" ], "public": 1, "adversary": "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "NoEscape", "display_name": "NoEscape", "target": null }, { "id": "Ransomhouse", "display_name": "Ransomhouse", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" } ], "industries": [ "Education", "Finance", "Healthcare", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 156, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 14, "FileHash-SHA256": 7, "domain": 1, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386653, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb27ef79369f1b24cd171", "name": "EbeeMar2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:23:26.711000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "bitcoinaddress" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 93, "FileHash-MD5": 157, "FileHash-SHA1": 150, "FileHash-SHA256": 268, "CVE": 5, "domain": 135, "email": 1, "hostname": 42 }, "indicator_count": 851, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f13229233c5673b57b7505", "name": "Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs | Censys", "description": "", "modified": "2024-10-20T09:04:03.661000", "created": "2024-09-23T09:17:29.912000", "tags": [ "iocs", "censys", "advisory", "host d", "hosts d", "http", "fox kitten", "host g", "jan24", "encrypt", "august", "first", "find", "date", "soldiers" ], "references": [ "https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66f1320c2af0ca34641c0c24", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 5 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f1320c2af0ca34641c0c24", "name": "Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs | Censys", "description": "", "modified": "2024-10-20T09:04:03.661000", "created": "2024-09-23T09:17:00.450000", "tags": [ "iocs", "censys", "advisory", "host d", "hosts d", "http", "fox kitten", "host g", "jan24", "encrypt", "august", "first", "find", "date", "soldiers" ], "references": [ "https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66ed3c18cf3b83b1a575b7b7", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 5 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ed3c18cf3b83b1a575b7b7", "name": "Analysis of Fox Kitten Infrastructure Reveals Unique Host Patterns and Potentially New IOCs | Censys", "description": "", "modified": "2024-10-20T09:04:03.661000", "created": "2024-09-20T09:10:48.431000", "tags": [ "iocs", "censys", "advisory", "host d", "hosts d", "http", "fox kitten", "host g", "jan24", "encrypt", "august", "first", "find", "date", "soldiers" ], "references": [ "https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 5 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d875a3c5b05d0e8dc29ffb", "name": "Iranian State-Sponsored Hackers Become Access Brokers For Ransomware Gangsca - Cyble", "description": "aliases: Pioneer Kitten, Fox Kitten, Lemon Sandstorm, Br0k3r, xplfinder\nIranian State-Sponsored group moving into Access Broker territory and ransomware", "modified": "2024-10-04T14:04:08.201000", "created": "2024-09-04T14:58:43.097000", "tags": [ "threat intelligence", "pioneer kitten", "ransomware", "netscaler", "pioneer", "kitten", "cisa", "vpns", "cve20243400", "panos", "shodan", "ngrok", "cves", "noescape", "ligolo", "anydesk", "powershell" ], "references": [ "https://cyble.com/blog/iranian-state-sponsored-hackers-have-become-access-brokers-for-ransomware-gangsca/" ], "public": 1, "adversary": "Pioneer Kitten, Fox Kitten, Lemon Sandstorm, Br0k3r, xplfinder", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "BitcoinAddress": 14, "CVE": 9, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "604 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d64556faddb1ca2a0c30e9", "name": "InQuest - 02-09-2024", "description": "", "modified": "2024-10-02T23:04:14.510000", "created": "2024-09-02T23:08:06.898000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "FileHash-SHA256": 29, "hostname": 6, "domain": 2, "FileHash-MD5": 16 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ea9b990974594c1fac2803", "name": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations", "description": "", "modified": "2024-09-27T14:04:14.736000", "created": "2024-09-18T09:21:29.061000", "tags": [ "cve-2024-24919", "blackcat", "alphv", "cve-2024-3400", "credential-theft", "state-sponsored", "cve-2022-1388", "cve-2024-21887", "ransomware", "noberus", "iran", "ransomhouse", "cve-2019-19781", "webshells", "cve-2023-3519", "noescape" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" ], "public": 1, "adversary": "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "NoEscape", "display_name": "NoEscape", "target": null }, { "id": "Ransomhouse", "display_name": "Ransomhouse", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" } ], "industries": [ "Education", "Finance", "Healthcare", "Defense", "Government" ], "TLP": "white", "cloned_from": "66d7de1503eb3fd27788bb58", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 14, "FileHash-SHA256": 7, "domain": 1, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d7de1503eb3fd27788bb58", "name": " Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations", "description": "", "modified": "2024-09-27T14:04:14.736000", "created": "2024-09-04T04:12:05.364000", "tags": [ "cve-2024-24919", "blackcat", "alphv", "cve-2024-3400", "credential-theft", "state-sponsored", "cve-2022-1388", "cve-2024-21887", "ransomware", "noberus", "iran", "ransomhouse", "cve-2019-19781", "webshells", "cve-2023-3519", "noescape" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" ], "public": 1, "adversary": "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "NoEscape", "display_name": "NoEscape", "target": null }, { "id": "Ransomhouse", "display_name": "Ransomhouse", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" } ], "industries": [ "Education", "Finance", "Healthcare", "Defense", "Government" ], "TLP": "white", "cloned_from": "66cf2f70a15e0a6421a9fd21", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 14, "FileHash-SHA256": 7, "domain": 1, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.2.csv", "https://labs.inquest.net/iocdb", "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf", "https://cyble.com/blog/iranian-state-sponsored-hackers-have-become-access-brokers-for-ransomware-gangsca/", "https://censys.com/analysis-of-fox-kitten-infrastructure-reveals-unique-host-patterns-and-potentially-new-iocs/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a", "IOCs.pdf" ], "related": { "alienvault": { "adversary": [ "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "Fox Kitten" ], "malware_families": [ "Ransomhouse", "Noberus", "Noescape", "Alphv", "Blackcat - s1068" ], "industries": [ "Government", "Healthcare", "Finance", "Defense", "Energy", "Education" ] }, "other": { "adversary": [ "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "Pioneer Kitten, Fox Kitten, Lemon Sandstorm, Br0k3r, xplfinder", "Lemon Sandstorm", "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares" ], "malware_families": [ "Ransomhouse", "Noberus", "Noescape", "Alphv", "Blackcat - s1068" ], "industries": [ "Government", "Healthcare", "Finance", "Defense", "Energy", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386652, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66cf2f70a15e0a6421a9fd21", "name": "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations", "description": "This advisory outlines the activities of an Iran-based cyber threat group that has conducted numerous intrusions against organizations in the United States and other countries since 2017, with the goal of obtaining network access to facilitate ransomware attacks. The group, known by various names such as Pioneer Kitten and UNC757, exploits vulnerabilities in public-facing devices to gain initial access, and then uses techniques like credential theft, remote access tools, and webshells to maintain persistence and move laterally within compromised networks. A significant portion of their operations involves collaborating with ransomware affiliates like NoEscape and ALPHV to deploy ransomware and extort victims. The advisory provides details on the group's tactics, techniques, procedures, indicators of compromise, and recommended mitigations.", "modified": "2024-09-27T14:04:14.736000", "created": "2024-08-28T14:08:48.146000", "tags": [ "cve-2024-24919", "blackcat", "alphv", "cve-2024-3400", "credential-theft", "state-sponsored", "cve-2022-1388", "cve-2024-21887", "ransomware", "noberus", "iran", "ransomhouse", "cve-2019-19781", "webshells", "cve-2023-3519", "noescape" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a" ], "public": 1, "adversary": "Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, Lemon Sandstorm", "targeted_countries": [], "malware_families": [ { "id": "NoEscape", "display_name": "NoEscape", "target": null }, { "id": "Ransomhouse", "display_name": "Ransomhouse", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" } ], "industries": [ "Education", "Finance", "Healthcare", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 156, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 14, "FileHash-SHA256": 7, "domain": 1, "hostname": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386653, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbb27ef79369f1b24cd171", "name": "EbeeMar2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:23:26.711000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "bitcoinaddress" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Gentlemen Ransomware, Ruby Jumper, Moonrise RAT, Dust Specter, NoEscape, Ransom House, Steaelite", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 93, "FileHash-MD5": 157, "FileHash-SHA1": 150, "FileHash-SHA256": 268, "CVE": 5, "domain": 135, "email": 1, "hostname": 42 }, "indicator_count": 851, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650dc72066f12ec3d51939", "name": "Iranian APT Actors-Pt4", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:45:25.998000", "tags": [], "references": [ "IOCs.pdf" ], "public": 1, "adversary": "Agrius, Cuboid Sandstorm, Tortoiseshell, Gray Sandstorm, Pumpkin Sandstorm, Lemon Sandstorm, BladedF", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 92, "FileHash-SHA1": 100, "FileHash-SHA256": 124, "CVE": 13, "domain": 157, "email": 2, "hostname": 8 }, "indicator_count": 511, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "githubapp.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "githubapp.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780309009.7938457 }