{ "type": "Domain", "indicator": "glider.cfd", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/glider.cfd", "alexa": "http://www.alexa.com/siteinfo/glider.cfd", "indicator": "glider.cfd", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4185833623, "indicator": "glider.cfd", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d12ef6dea42ffce5b00dd8", "name": "Breaking Aura: five obfuscation layers & hates sandboxes", "description": "Aura is a sophisticated C++ information stealer that emerged as a service since July 2025, intended to replace the previously dismantled Lumma malware. It has recorded 104 unique samples as of November 2025, all with a high detection score of 10/10 classified under the name aura_stealer. The malware embeds complex anti-sandbox mechanisms that result in crashes during analysis, making detection and behavior understanding more difficult. VirusTotal reports a detection rate of 53 out of 75.", "modified": "2026-04-04T15:32:06.364000", "created": "2026-04-04T15:32:06.364000", "tags": [ "reverse-engineering", "malware", "stealer", "encryption", "obfuscation", "heaven", "chrome", "fnv1a hash", "apis", "layer", "aes256cbc", "gate shellcode", "c2 server", "gate x64", "browser", "crypto", "sandbox", "virustotal", "stack", "info", "global", "backend", "atomic", "bitcoin", "exodus", "raven", "anydesk", "discord", "telegram", "steam", "basilisk", "cloudflare" ], "references": [ "https://www.derp.ca/research/aura-stealer-reverse-engineering/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 13 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697668d062ea3bfaf54c51be", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(39), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:02:40.888000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766ce169971ac2cf3cf5d2", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(32), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:20:01.228000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69767115112018feee8ba9b3", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(32), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:37:57.086000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697673e9194fe4b0e338259b", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(26), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:50:01.306000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976758a82e390ac6a8c4811", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(26), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:56:58.142000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697665dc2b433d6ef34b939e", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(39), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T18:03:42.653000", "created": "2026-01-25T18:50:04.089000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 16, "URL": 59 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697650c21bb6ba9734b009c2", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(40), Stealc(33). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T17:00:32.371000", "created": "2026-01-25T17:20:02.095000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 56, "hostname": 16 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697657cc82730d448d26eb7e", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(37), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T17:00:32.371000", "created": "2026-01-25T17:50:04.300000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 56, "hostname": 16 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697642b495d44b4c0a4e78f1", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown Stealer(87), AsyncRAT(64), Unknown malware(48), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T16:00:05.465000", "created": "2026-01-25T16:20:04.180000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 10, "hostname": 16 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697649bd39845d114a2b1ec6", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(40), Stealc(33). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T16:00:05.465000", "created": "2026-01-25T16:50:05.791000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 56, "hostname": 16 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69763baccb5ff0b84f8c09c7", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(87), AsyncRAT(64), Unknown malware(49), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T15:02:59.189000", "created": "2026-01-25T15:50:04.103000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "domain": 12, "hostname": 23 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69762695e2b57a739c7f9b92", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(87), AsyncRAT(64), Unknown malware(49), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T14:01:03.830000", "created": "2026-01-25T14:20:05.234000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "domain": 12, "hostname": 23 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69762d9e7695765045676022", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(87), AsyncRAT(64), Unknown malware(49), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T14:01:03.830000", "created": "2026-01-25T14:50:06.137000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "domain": 12, "hostname": 23 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69761882edb9e66af490597f", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(87), AsyncRAT(64), Unknown malware(50), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T13:03:14.542000", "created": "2026-01-25T13:20:02.478000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "domain": 12, "hostname": 23 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69760a786613664d57f63b66", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(86), AsyncRAT(64), Unknown malware(50), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T12:03:43.544000", "created": "2026-01-25T12:20:08.923000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 52, "hostname": 23, "domain": 11 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976117e617803fd058cce39", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(95), Unknown Stealer(87), AsyncRAT(64), Unknown malware(50), Quasar RAT(40). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T12:03:43.544000", "created": "2026-01-25T12:50:06.400000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 52, "hostname": 23 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975ee542796db6535c5ce55", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Unknown malware(48), Quasar RAT(39). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T10:02:56.890000", "created": "2026-01-25T10:20:04.410000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 37, "hostname": 37, "domain": 24 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975f55d070460deaa56b893", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Unknown malware(50), Quasar RAT(39). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T10:02:56.890000", "created": "2026-01-25T10:50:05.118000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "hostname": 36, "domain": 23 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975dfdcf60922a5c5cec57d", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T09:03:47.999000", "created": "2026-01-25T09:18:20.142000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "hostname": 45, "domain": 26 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975e041169a2656fce46abd", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T09:03:47.999000", "created": "2026-01-25T09:20:01.722000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "hostname": 45, "domain": 26 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975d2369f2c40c4732c4653", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 45 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T08:02:18.309000", "created": "2026-01-25T08:20:06.739000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 26, "URL": 5 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975d93e23edc4bf01391ee6", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown Stealer(86), AsyncRAT(54), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 45 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T08:02:18.309000", "created": "2026-01-25T08:50:06.620000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 47, "domain": 26, "URL": 5 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975c421ec09a65f485672ca", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(53), Quasar RAT(39), Stealc(32). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T07:03:54.953000", "created": "2026-01-25T07:20:01.677000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 56, "URL": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975cb2c5e291b50754f5bd9", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(53), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T07:03:54.953000", "created": "2026-01-25T07:50:04.976000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 56, "URL": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975b6155289f111c7f67a5a", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(53), Quasar RAT(39), Stealc(32). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T06:20:05.921000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 56, "URL": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975bd1c3bfb032d3c87987d", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(53), Quasar RAT(39), Stealc(32). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T06:02:43.853000", "created": "2026-01-25T06:50:04.450000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 56, "URL": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975af0c5347f79ed4aa7625", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(52), Quasar RAT(39), Stealc(32). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T05:03:19.257000", "created": "2026-01-25T05:50:04.890000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 24, "hostname": 55 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6975a0fe200808c7d15b2ce0", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(113), Unknown Stealer(86), AsyncRAT(52), Quasar RAT(39), Stealc(31). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T04:03:06.070000", "created": "2026-01-25T04:50:06.516000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 24, "hostname": 55 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69758be3d764c483f4c3acad", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(39), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T03:02:52.524000", "created": "2026-01-25T03:20:03.439000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "domain": 24, "hostname": 65 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697592ecd33f66d4d8cd5131", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(39), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T03:02:52.524000", "created": "2026-01-25T03:50:04.728000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "domain": 24, "hostname": 65 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69757dd407bd312bc9d9fedc", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(39), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T02:01:18.220000", "created": "2026-01-25T02:20:04.120000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "domain": 24, "hostname": 65 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69756fc1631a98e91525dc5b", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(39), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T01:03:00.394000", "created": "2026-01-25T01:20:01.521000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 24, "hostname": 65, "URL": 15 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697576cdc7aa3fc17d6f34d5", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(39), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T01:03:00.394000", "created": "2026-01-25T01:50:05.773000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "domain": 24, "hostname": 65 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697561b327da70511c18e3df", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(35), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T00:03:36.555000", "created": "2026-01-25T00:20:03.416000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 66, "domain": 22, "URL": 15 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697568c197454889a1114774", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(115), Unknown Stealer(86), AsyncRAT(55), Quasar RAT(35), Unknown malware(33). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T00:03:36.555000", "created": "2026-01-25T00:50:09.891000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 66, "domain": 22, "URL": 15 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697553a3920061cbd94df84c", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(118), Unknown Stealer(86), AsyncRAT(55), Unknown malware(33), Quasar RAT(30). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T23:03:21.803000", "created": "2026-01-24T23:20:03.437000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "domain": 25, "URL": 15 }, "indicator_count": 121, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69755aaa00f28a97c5f41e91", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(118), Unknown Stealer(86), AsyncRAT(55), Unknown malware(33), Quasar RAT(30). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T23:03:21.803000", "created": "2026-01-24T23:50:02.935000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "domain": 25, "URL": 15 }, "indicator_count": 121, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69754592981fb64c49264bdb", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(118), Unknown Stealer(86), AsyncRAT(55), Unknown malware(34), Stealc(30). Source: abuse.ch ThreatFox API. SSL enriched: 45 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T22:01:24.744000", "created": "2026-01-24T22:20:02.171000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22, "hostname": 79, "URL": 20, "FileHash-SHA256": 2, "FileHash-MD5": 2, "FileHash-SHA1": 2 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69754c9c04d37f3dab8dc7d8", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown Stealer/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(118), Unknown Stealer(86), AsyncRAT(55), Unknown malware(34), Stealc(30). Source: abuse.ch ThreatFox API. SSL enriched: 45 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T22:01:24.744000", "created": "2026-01-24T22:50:04.909000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-stealer", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 84, "domain": 25, "URL": 20 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69660a475affd772804d9d7b", "name": "ThreatFix_domains", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-12T09:06:57.591000", "created": "2026-01-13T09:03:02.558000", "tags": [ "ransomware, malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer - S1213", "display_name": "Lumma Stealer - S1213", "target": null }, { "id": "ALF:HeraklezEval:PWS:MSIL/RedLine", "display_name": "ALF:HeraklezEval:PWS:MSIL/RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2533, "hostname": 6022, "email": 4 }, "indicator_count": 8559, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6981b2a52bc2da0fa5f88c9f", "name": "Botnet_Cc | 2026-01-31", "description": "Botnet_Cc indicators. Date: 2026-01-31. Total: 2061 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:37.880000", "created": "2026-02-03T08:32:37.880000", "tags": [ "botnet_cc", "threatfox" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 284, "URL": 171, "domain": 190 }, "indicator_count": 645, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69769bcdb967b3fed3fa3f53", "name": "PreCog Sweep - 2026-01-25 22h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T22:40:13.364000", "created": "2026-01-25T22:40:13.364000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 54, "URL": 61 }, "indicator_count": 149, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976997476747d913f7ec783", "name": "PreCog Sweep - 2026-01-25 22h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T22:30:12.752000", "created": "2026-01-25T22:30:12.752000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 35, "hostname": 54, "URL": 61 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976971cfa2406a2156e690b", "name": "PreCog Sweep - 2026-01-25 22h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T22:20:12.409000", "created": "2026-01-25T22:20:12.409000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 35, "hostname": 54, "URL": 61 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697694c4587ca3ebc62ce137", "name": "PreCog Sweep - 2026-01-25 22h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T22:10:12.440000", "created": "2026-01-25T22:10:12.440000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 39, "hostname": 52, "URL": 61 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976926daeff827621862543", "name": "PreCog Sweep - 2026-01-25 22h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T22:00:13.404000", "created": "2026-01-25T22:00:13.404000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 39, "hostname": 52, "URL": 61 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976901433ef2e76e2f658cd", "name": "PreCog Sweep - 2026-01-25 21h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-25T21:50:12.740000", "created": "2026-01-25T21:50:12.740000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 39, "hostname": 52, "URL": 61 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch", "https://ltna.com.au/cyber", "https://www.derp.ca/research/aura-stealer-reverse-engineering/", "https://github.com/pduggusa/dugganusa-research", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5." ], "malware_families": [ "Ransomhub", "Unknown stealer", "Quasar rat", "Meterpreter", "Qilin", "Asyncrat", "Alf:heraklezeval:pws:msil/redline", "Lumma stealer - s1213", "Unknown malware", "Valleyrat", "Stealc" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d12ef6dea42ffce5b00dd8", "name": "Breaking Aura: five obfuscation layers & hates sandboxes", "description": "Aura is a sophisticated C++ information stealer that emerged as a service since July 2025, intended to replace the previously dismantled Lumma malware. It has recorded 104 unique samples as of November 2025, all with a high detection score of 10/10 classified under the name aura_stealer. The malware embeds complex anti-sandbox mechanisms that result in crashes during analysis, making detection and behavior understanding more difficult. VirusTotal reports a detection rate of 53 out of 75.", "modified": "2026-04-04T15:32:06.364000", "created": "2026-04-04T15:32:06.364000", "tags": [ "reverse-engineering", "malware", "stealer", "encryption", "obfuscation", "heaven", "chrome", "fnv1a hash", "apis", "layer", "aes256cbc", "gate shellcode", "c2 server", "gate x64", "browser", "crypto", "sandbox", "virustotal", "stack", "info", "global", "backend", "atomic", "bitcoin", "exodus", "raven", "anydesk", "discord", "telegram", "steam", "basilisk", "cloudflare" ], "references": [ "https://www.derp.ca/research/aura-stealer-reverse-engineering/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 3, "domain": 13 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996eec8a83ff76c8fe7dc9e", "name": "ThreatFix_domain_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:06:48.676000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 3, "domain": 2634, "hostname": 1822 }, "indicator_count": 4471, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "70 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697668d062ea3bfaf54c51be", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(39), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:02:40.888000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69766ce169971ac2cf3cf5d2", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(32), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:20:01.228000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69767115112018feee8ba9b3", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(32), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:37:57.086000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697673e9194fe4b0e338259b", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(26), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:50:01.306000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976758a82e390ac6a8c4811", "name": "OSINT Volley 2026-01-25 - Meterpreter/Unknown malware/Quasar RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), Unknown malware(48), Quasar RAT(33), AsyncRAT(26), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 30 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T19:00:57.620000", "created": "2026-01-25T19:56:58.142000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "quasar-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 16, "URL": 59 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 192, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697665dc2b433d6ef34b939e", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(39), ValleyRAT(18). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T18:03:42.653000", "created": "2026-01-25T18:50:04.089000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 16, "URL": 59 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697650c21bb6ba9734b009c2", "name": "OSINT Volley 2026-01-25 - Meterpreter/AsyncRAT/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(94), AsyncRAT(64), Unknown malware(48), Quasar RAT(40), Stealc(33). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-24T17:00:32.371000", "created": "2026-01-25T17:20:02.095000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "asyncrat", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 56, "hostname": 16 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "glider.cfd", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "glider.cfd", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780173806.383337 }