{ "type": "Domain", "indicator": "gonefishe.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gonefishe.com", "alexa": "http://www.alexa.com/siteinfo/gonefishe.com", "indicator": "gonefishe.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4107884968, "indicator": "gonefishe.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "688c90e02299a978d26a9533", "name": "MaaS Appeal: An Infostealer Rises From The Ashes \u2014 Elastic Security Labs", "description": "", "modified": "2025-08-01T10:03:12.858000", "created": "2025-08-01T10:03:12.858000", "tags": [ "novablight", "discord", "telegram", "github", "telegram api", "mullvad", "maas", "malicord", "github gist", "task manager", "steam", "code", "atomic", "crypto", "exodus", "powershell", "first" ], "references": [ "https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "YARA": 1, "domain": 9, "hostname": 5 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "303 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0771c7fedc096b10c2bb", "name": "MaaS Appeal: An Infostealer Rises From The Ashes.", "description": "NOVABLIGHT is a sophisticated NodeJS-based infostealer marketed as a Malware-as-a-Service (MaaS) offering primarily focused on stealing user credentials and compromising cryptocurrency wallets. It is the product of a French-speaking threat actor group known as Sordeal Group, which has also released other malware such as Nova Sentinel and MALICORD. The infrastructure supporting NOVABLIGHT leverages Telegram and Discord for sales, licensing, and community interaction, with licenses offered for durations between one and twelve months.", "modified": "2025-07-31T06:04:33.687000", "created": "2025-07-31T06:04:33.687000", "tags": [ "novablight", "discord", "telegram", "github", "telegram api", "mullvad", "maas", "malicord", "github gist", "task manager", "steam", "code", "atomic", "crypto", "exodus", "powershell", "first" ], "references": [ "https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-SHA256": 4, "YARA": 1, "domain": 9, "hostname": 3 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "304 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "688c90e02299a978d26a9533", "name": "MaaS Appeal: An Infostealer Rises From The Ashes \u2014 Elastic Security Labs", "description": "", "modified": "2025-08-01T10:03:12.858000", "created": "2025-08-01T10:03:12.858000", "tags": [ "novablight", "discord", "telegram", "github", "telegram api", "mullvad", "maas", "malicord", "github gist", "task manager", "steam", "code", "atomic", "crypto", "exodus", "powershell", "first" ], "references": [ "https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "YARA": 1, "domain": 9, "hostname": 5 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "303 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0771c7fedc096b10c2bb", "name": "MaaS Appeal: An Infostealer Rises From The Ashes.", "description": "NOVABLIGHT is a sophisticated NodeJS-based infostealer marketed as a Malware-as-a-Service (MaaS) offering primarily focused on stealing user credentials and compromising cryptocurrency wallets. It is the product of a French-speaking threat actor group known as Sordeal Group, which has also released other malware such as Nova Sentinel and MALICORD. The infrastructure supporting NOVABLIGHT leverages Telegram and Discord for sales, licensing, and community interaction, with licenses offered for durations between one and twelve months.", "modified": "2025-07-31T06:04:33.687000", "created": "2025-07-31T06:04:33.687000", "tags": [ "novablight", "discord", "telegram", "github", "telegram api", "mullvad", "maas", "malicord", "github gist", "task manager", "steam", "code", "atomic", "crypto", "exodus", "powershell", "first" ], "references": [ "https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-SHA256": 4, "YARA": 1, "domain": 9, "hostname": 3 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "304 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gonefishe.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gonefishe.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780289971.496411 }