{ "type": "Domain", "indicator": "goodtec.lv", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/goodtec.lv", "alexa": "http://www.alexa.com/siteinfo/goodtec.lv", "indicator": "goodtec.lv", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4274482248, "indicator": "goodtec.lv", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd11a976e0d0b8abdb2df8", "name": "Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes", "description": "The Katana botnet, identified as a variant of the Mirai malware, specifically targets Android TV set-top boxes that are typically low-cost and lack robust security measures like Google Play Protect. Katana exploits ADB (Android Debug Bridge) vulnerabilities, facilitating unauthorized access through residential proxy services. This technique has enabled mass exploitation of Android-based devices without needing sophisticated exploits\u2014operators merely require a subscription for these proxies to gain access to millions of vulnerable devices.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:21:45.626000", "tags": [ "katana", "android tv", "mirai", "android", "putty", "chrome", "aosp", "kimwolf", "adb port", "mirai variant", "protect", "service", "first", "pandora", "asyncrat", "xworm", "remcos", "cobalt strike", "rhadamanthys", "locker", "tencent", "attack", "stop", "kill", "openssl", "refresh", "syscall", "arch", "pandora.2", "adb", "rc4", "threatfox id", "c2 protocol", "table slot", "threatfox", "parent domain", "katana bot", "rootkit loader", "tinycc compiler", "1102717", "apk wrapper", "adb staging", "as215925", "as51396", "as202412", "omegatech ltd", "as39900", "sia good", "arm7 elf", "apk delivery", "elf delivery", "singlebyte xor", "xor key" ], "references": [ "https://github.com/deepfield/public-research/blob/main/katana/report.md" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "IoT", "Transportation", "Finance", "Telecommunications", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 3, "domain": 11, "hostname": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 11 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/deepfield/public-research/blob/main/katana/report.md", "IOCs.2026.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana" ], "malware_families": [], "industries": [ "Finance", "Transportation", "Iot", "Media", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd11a976e0d0b8abdb2df8", "name": "Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes", "description": "The Katana botnet, identified as a variant of the Mirai malware, specifically targets Android TV set-top boxes that are typically low-cost and lack robust security measures like Google Play Protect. Katana exploits ADB (Android Debug Bridge) vulnerabilities, facilitating unauthorized access through residential proxy services. This technique has enabled mass exploitation of Android-based devices without needing sophisticated exploits\u2014operators merely require a subscription for these proxies to gain access to millions of vulnerable devices.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:21:45.626000", "tags": [ "katana", "android tv", "mirai", "android", "putty", "chrome", "aosp", "kimwolf", "adb port", "mirai variant", "protect", "service", "first", "pandora", "asyncrat", "xworm", "remcos", "cobalt strike", "rhadamanthys", "locker", "tencent", "attack", "stop", "kill", "openssl", "refresh", "syscall", "arch", "pandora.2", "adb", "rc4", "threatfox id", "c2 protocol", "table slot", "threatfox", "parent domain", "katana bot", "rootkit loader", "tinycc compiler", "1102717", "apk wrapper", "adb staging", "as215925", "as51396", "as202412", "omegatech ltd", "as39900", "sia good", "arm7 elf", "apk delivery", "elf delivery", "singlebyte xor", "xor key" ], "references": [ "https://github.com/deepfield/public-research/blob/main/katana/report.md" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1037.004", "name": "RC Scripts", "display_name": "T1037.004 - RC Scripts" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "IoT", "Transportation", "Finance", "Telecommunications", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 3, "domain": 11, "hostname": 1, "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 11 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "goodtec.lv", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "goodtec.lv", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210811.915714 }