{ "type": "Domain", "indicator": "gonamod.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gonamod.com", "alexa": "http://www.alexa.com/siteinfo/gonamod.com", "indicator": "gonamod.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3525503030, "indicator": "gonamod.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "641dd2ad4310d178a4c6766e", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "The German Bundesamt fu\u0308r Verfassungsschutz (BfV) and the National\nIntelligence Service of the Republic of Korea (NIS) issue the following Joint\nCyber Security Advisory to raise awareness of KIMSUKY\u2019s (a.k.a. Thallium,\nVelvet Chollima, etc.) cyber campaigns against Google's browser and app\nstore services targeting experts on the Korean Peninsula and North Korea\nissues.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:41:17.153000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 385, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386474, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659082b0344ff3780c768636", "name": "APT43", "description": "AKA Kimsuky, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, Thallium, Velvet Chollima.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-11-27T13:03:27.333000", "created": "2023-12-30T20:50:56.554000", "tags": [ "APT43", "G0086", "Thallium" ], "references": [ "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky", "https://socradar.io/apt-profile-kimsuky/", "https://attack.mitre.org/groups/G0094/", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of", "United States of America", "Russian Federation" ], "malware_families": [ { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "CSPY Downloader - S0527", "display_name": "CSPY Downloader - S0527", "target": null }, { "id": "Gold Dragon - S0249", "display_name": "Gold Dragon - S0249", "target": null }, { "id": "KGH_SPY - S0526", "display_name": "KGH_SPY - S0526", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "NOKKI - S0353", "display_name": "NOKKI - S0353", "target": null }, { "id": "PsExec - S0029", "display_name": "PsExec - S0029", "target": null }, { "id": "schtasks - S0111", "display_name": "schtasks - S0111", "target": null } ], "attack_ids": [ { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1585.002", "name": "Email Accounts", "display_name": "T1585.002 - Email Accounts" }, { "id": "T1546.001", "name": "Change Default File Association", "display_name": "T1546.001 - Change Default File Association" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1589.003", "name": "Employee Names", "display_name": "T1589.003 - Employee Names" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1550.002", "name": "Pass the Hash", "display_name": "T1550.002 - Pass the Hash" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 108, "FileHash-SHA1": 110, "FileHash-SHA256": 131, "domain": 549, "hostname": 154 }, "indicator_count": 1150, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6423d532c0525a4595728905", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-29T06:05:38.452000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "641dd2ad4310d178a4c6766e", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6423de51dd61f7aaa54788c7", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-29T06:44:33.477000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "6423d532c0525a4595728905", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641d032b0f5a57a499245ad9", "name": "Chrome Extensions are used to steal Gmail Contents", "description": "", "modified": "2023-04-23T01:02:43.122000", "created": "2023-03-24T01:55:55.367000", "tags": [], "references": [ "March 24th, 2023 - CryptoGen Cyber Threat Intelligence - Chrome Extensions are used to steal Gmail Contents.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641c3efda62b617470fcf8d7", "name": "German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics - ASEC BLOG", "description": "Thirteen-year-old boy, 17.8, is the youngest child to be born in the United States at the age of 13.9.7.. and the first person to use it.", "modified": "2023-04-22T11:03:59.902000", "created": "2023-03-23T11:58:53.204000", "tags": [ "kimsuky", "germany", "warn", "expanding cyber", "attack tactics", "federal office", "protection", "ahnlab", "strong", "reply", "chinaz", "facebook", "footer", "insert", "http", "https modecd2", "http param", "appdata", "af download", "fastviewer", "fastspy dex", "fastfire" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.pdf;jsessionid=4E16DC6B57588CEF55C60E353776F176.intranet242?__blob=publicationFile&v=1", "https://asec.ahnlab.com/ko/49964/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641b396ec185c46680610d3d", "name": "North Korean hackers using Chrome extensions to steal Gmail emails", "description": "https://www.bleepingcomputer.com/news/security/north-korean-hackers-using-chrome-extensions-to-steal-gmail-emails/", "modified": "2023-04-21T17:02:41.342000", "created": "2023-03-22T17:22:54.933000", "tags": [], "references": [ "2023-03-20-joint-cyber-security-advisory-korean.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641aa62d29fb2551241102a0", "name": "Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-03-22T06:54:37.136000", "created": "2023-03-22T06:54:37.136000", "tags": [ "ScarCruft" ], "references": [ "2735729.misp-json", "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten-englisch.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1165 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ebbdfa376374a398429ed7", "name": "SharpTongue Deploys Clever Mail-Stealing Browser Extension \u201cSHARPEXT\u201d", "description": "", "modified": "2022-08-04T12:39:22.250000", "created": "2022-08-04T12:39:22.250000", "tags": [ "kimsuky", "sharpext c2", "volexity", "sharpext", "sharptongue", "figure", "devtools", "south korea", "north korea", "microsoft edge", "gmail", "powershell" ], "references": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://raw.githubusercontent.com/volexity/threat-intel/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "United States of America", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Nuclear" ], "TLP": "white", "cloned_from": "62e3841c3792c4bee23a6cfd", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 507, "modified_text": "1395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e4723d72f7ac5b7b585351", "name": "Twitter Feed - blackorbird - 29-07-2022", "description": "", "modified": "2022-07-29T23:50:21.600000", "created": "2022-07-29T23:50:21.600000", "tags": [], "references": [ "https://twitter.com/blackorbird/status/1552846355613097984" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "1401 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e3841c3792c4bee23a6cfd", "name": "SharpTongue Deploys Clever Mail-Stealing Browser Extension \"SHARPEXT\" | Volexity", "description": "A malicious browser extension deployed by a North Korean threat actor targets individuals working for organisations in the United States, Europe and South Korea, research by Volexity Threat Intelligence suggests, and how the malware works.", "modified": "2022-07-29T06:54:20.240000", "created": "2022-07-29T06:54:20.240000", "tags": [ "kimsuky", "sharpext c2", "volexity", "sharpext", "sharptongue", "figure", "devtools", "south korea", "north korea", "microsoft edge", "gmail", "powershell" ], "references": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://raw.githubusercontent.com/volexity/threat-intel/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "United States of America", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Nuclear" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1401 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e2dfed26bbeef0f1ff9972", "name": "Mail-Stealing Chrome Extension Used by Cyber-spies", "description": "", "modified": "2022-07-28T19:13:49.132000", "created": "2022-07-28T19:13:49.132000", "tags": [], "references": [ "July 29th, 2022 - CryptoGen Cyber Threat Intelligence - Mail-Stealing Chrome Extension Used by Cyber-spies.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 65, "hostname": 40 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e2d54a63ebfdf06080d85a", "name": "SharpTongue Deploys Clever Mail-Stealing Browser Extension SHARPEXT | Volexity", "description": "A malicious browser extension deployed by a North Korean threat actor targets individuals working for organisations in the United States, Europe and South Korea, research by Volexity Threat Intelligence suggests, and how the malware works.", "modified": "2022-07-28T18:28:26.744000", "created": "2022-07-28T18:28:26.744000", "tags": [ "github", "jump", "sign", "strong", "view", "deploys clever", "code issues", "pull", "wiki security", "unicode", "copy", "contact", "star", "open", "footer", "kimsuky", "sharpext c2", "volexity", "sharpext", "sharptongue", "figure", "devtools", "south korea", "north korea", "microsoft edge", "gmail", "powershell" ], "references": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv", "https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/yara.yar" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "United States of America", "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Nuclear" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-SHA256": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1402 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "2023-03-20-joint-cyber-security-advisory-korean.pdf", "https://attack.mitre.org/groups/G0094/", "tmp.ziktUZeKXL", "stdbool.hcc0B2j.c", "March 24th, 2023 - CryptoGen Cyber Threat Intelligence - Chrome Extensions are used to steal Gmail Contents.pdf", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "runtime-root", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", ".org.chromium.Chromium.HMzFxo", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/yara.yar", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", "stdbool.ht64kj6qw.c", "@tmp", "https://twitter.com/blackorbird/status/1552846355613097984", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", ".org.chromium.Chromium.T2jdbS", "qtsingleapp-Notifi-4c42-3e8", "qtsingleapp-Octopi-1d88-3e8", "https://socradar.io/apt-profile-kimsuky/", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2", "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten-englisch.pdf", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "pytest-of-mrkd", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "https://github.com/volexity/threat-intel/blob/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "https://asec.ahnlab.com/ko/49964/", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", ".org.chromium.Chromium.8GBhMA", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", ".vbox-mrkd-ipc", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "July 29th, 2022 - CryptoGen Cyber Threat Intelligence - Mail-Stealing Chrome Extension Used by Cyber-spies.pdf", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "v8-compile-cache-0", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", ".org.chromium.Chromium.coQnti", "strlcpydb8x03.c", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "tst-bz26353KOtJVp", "v8-compile-cache-1000", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "tmp.D4NXyZ3U4J", "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.pdf;jsessionid=4E16DC6B57588CEF55C60E353776F176.intranet242?__blob=publicationFile&v=1", "https://raw.githubusercontent.com/volexity/threat-intel/main/2022/2022-07-28%20SharpTongue%20SharpTongue%20Deploys%20Clever%20Mail-Stealing%20Browser%20Extension%20SHARPEXT/indicators.csv", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "plasma-csd-generator.LTvjbT", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "tmp90lfbdek", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", ".org.chromium.Chromium.12ZdF3", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", ".X11-unix", "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcatmMvE1V.c", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "albert_yt_ynb2tftv", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", ".ICE-unix", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "2735729.misp-json", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Kimsuky", "N/A" ], "malware_families": [ "Kimsuky", "Psexec - s0029", "Nokki - s0353", "Mimikatz - s0002", "Brave prince - s0252", "Slf:mamacsemacro.a", "Babyshark - s0414", "Appleseed - s0622", "Trojandownloader:linux/morila!mtb", "Sf:shellcode-dz\\ [trj]", "Bv:telegrambot-a\\ [trj]", "Backdoor:win32/r2d2.a", "Netexecutablemicrosoft", "Trojandropper:win32/fakeflexnet.a", "Gold dragon - s0249", "Ransom:linux/darkradiation.a!mtb", "Schtasks - s0111", "Cspy downloader - s0527", "Kgh_spy - s0526", "Delphi" ], "industries": [ "Individuals", "Nuclear", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "641dd2ad4310d178a4c6766e", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "The German Bundesamt fu\u0308r Verfassungsschutz (BfV) and the National\nIntelligence Service of the Republic of Korea (NIS) issue the following Joint\nCyber Security Advisory to raise awareness of KIMSUKY\u2019s (a.k.a. Thallium,\nVelvet Chollima, etc.) cyber campaigns against Google's browser and app\nstore services targeting experts on the Korean Peninsula and North Korea\nissues.", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-24T16:41:17.153000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 385, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386474, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659082b0344ff3780c768636", "name": "APT43", "description": "AKA Kimsuky, Black Banshee, Emerald Sleet, G0086, Operation Stolen Pencil, Thallium, Velvet Chollima.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-11-27T13:03:27.333000", "created": "2023-12-30T20:50:56.554000", "tags": [ "APT43", "G0086", "Thallium" ], "references": [ "https://www.virustotal.com/gui/collection/fa039f49cb8d8b0962fc75e9f4e2ae1462000b317be9cc57874f992c4cd30683", "https://malpedia.caad.fkie.fraunhofer.de/actor/kimsuky", "https://socradar.io/apt-profile-kimsuky/", "https://attack.mitre.org/groups/G0094/", "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of", "United States of America", "Russian Federation" ], "malware_families": [ { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "Brave Prince - S0252", "display_name": "Brave Prince - S0252", "target": null }, { "id": "CSPY Downloader - S0527", "display_name": "CSPY Downloader - S0527", "target": null }, { "id": "Gold Dragon - S0249", "display_name": "Gold Dragon - S0249", "target": null }, { "id": "KGH_SPY - S0526", "display_name": "KGH_SPY - S0526", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "NOKKI - S0353", "display_name": "NOKKI - S0353", "target": null }, { "id": "PsExec - S0029", "display_name": "PsExec - S0029", "target": null }, { "id": "schtasks - S0111", "display_name": "schtasks - S0111", "target": null } ], "attack_ids": [ { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1560.003", "name": "Archive via Custom Method", "display_name": "T1560.003 - Archive via Custom Method" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1114.003", "name": "Email Forwarding Rule", "display_name": "T1114.003 - Email Forwarding Rule" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1585.002", "name": "Email Accounts", "display_name": "T1585.002 - Email Accounts" }, { "id": "T1546.001", "name": "Change Default File Association", "display_name": "T1546.001 - Change Default File Association" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" }, { "id": "T1589.003", "name": "Employee Names", "display_name": "T1589.003 - Employee Names" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1564.002", "name": "Hidden Users", "display_name": "T1564.002 - Hidden Users" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1588.005", "name": "Exploits", "display_name": "T1588.005 - Exploits" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1593.002", "name": "Search Engines", "display_name": "T1593.002 - Search Engines" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1550.002", "name": "Pass the Hash", "display_name": "T1550.002 - Pass the Hash" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1078.003", "name": "Local Accounts", "display_name": "T1078.003 - Local Accounts" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 108, "FileHash-SHA1": 110, "FileHash-SHA256": 131, "domain": 549, "hostname": 154 }, "indicator_count": 1150, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6423d532c0525a4595728905", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-29T06:05:38.452000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "641dd2ad4310d178a4c6766e", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6423de51dd61f7aaa54788c7", "name": "Warning on KIMSUKY1 Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-04-23T16:04:24.392000", "created": "2023-03-29T06:44:33.477000", "tags": [ "Kimsuky", "Google Chrome", "spear phishing", "Google Browser Devtools API" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory.pdf;jsessionid=C932136E2B1078A87C5D02616A769AEB.intranet672?__blob=publicationFile&v=2" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "6423d532c0525a4595728905", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 1, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641d032b0f5a57a499245ad9", "name": "Chrome Extensions are used to steal Gmail Contents", "description": "", "modified": "2023-04-23T01:02:43.122000", "created": "2023-03-24T01:55:55.367000", "tags": [], "references": [ "March 24th, 2023 - CryptoGen Cyber Threat Intelligence - Chrome Extensions are used to steal Gmail Contents.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641c3efda62b617470fcf8d7", "name": "German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics - ASEC BLOG", "description": "Thirteen-year-old boy, 17.8, is the youngest child to be born in the United States at the age of 13.9.7.. and the first person to use it.", "modified": "2023-04-22T11:03:59.902000", "created": "2023-03-23T11:58:53.204000", "tags": [ "kimsuky", "germany", "warn", "expanding cyber", "attack tactics", "federal office", "protection", "ahnlab", "strong", "reply", "chinaz", "facebook", "footer", "insert", "http", "https modecd2", "http param", "appdata", "af download", "fastviewer", "fastspy dex", "fastfire" ], "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/prevention/2023-03-20-joint-cyber-security-advisory-korean.pdf;jsessionid=4E16DC6B57588CEF55C60E353776F176.intranet242?__blob=publicationFile&v=1", "https://asec.ahnlab.com/ko/49964/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641b396ec185c46680610d3d", "name": "North Korean hackers using Chrome extensions to steal Gmail emails", "description": "https://www.bleepingcomputer.com/news/security/north-korean-hackers-using-chrome-extensions-to-steal-gmail-emails/", "modified": "2023-04-21T17:02:41.342000", "created": "2023-03-22T17:22:54.933000", "tags": [], "references": [ "2023-03-20-joint-cyber-security-advisory-korean.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "1135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641aa62d29fb2551241102a0", "name": "Warning on KIMSUKY Cyber Actor's Recent Cyber Campaigns against Google's Browser and App Store Services", "description": "", "modified": "2023-03-22T06:54:37.136000", "created": "2023-03-22T06:54:37.136000", "tags": [ "ScarCruft" ], "references": [ "2735729.misp-json", "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten-englisch.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1165 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gonamod.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gonamod.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780197500.203846 }