{ "type": "Domain", "indicator": "gitomer.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gitomer.com", "alexa": "http://www.alexa.com/siteinfo/gitomer.com", "indicator": "gitomer.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4116586470, "indicator": "gitomer.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386549, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "related": { "alienvault": { "adversary": [ "GOLD PRELUDE" ], "malware_families": [ "Lockbit", "Dridex - s0384", "Mintsloader", "Wastedlocker - s0612", "Hades", "Socgholish", "Raspberry robin", "Bugat v5", "Netsupportrat" ], "industries": [ "Energy", "Government", "Finance", "Healthcare", "Technology" ] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Lockbit", "Dridex - s0384", "Mintsloader", "Wastedlocker - s0612", "Hades", "Socgholish", "Raspberry robin", "Bugat v5", "Netsupportrat" ], "industries": [ "Energy", "Government", "Finance", "Healthcare", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386549, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gitomer.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gitomer.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780246307.3724024 }