{ "type": "Domain", "indicator": "google-verify.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/google-verify.com", "alexa": "http://www.alexa.com/siteinfo/google-verify.com", "indicator": "google-verify.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 9215, "indicator": "google-verify.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386620, "modified_text": "3098 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "APT35 pt2.pdf", "https://attack.mitre.org/groups/G0130/", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf", "APT35 pt3.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "related": { "alienvault": { "adversary": [ "Rocket Kitten", "Charming Kitten" ], "malware_families": [], "industries": [ "Education", "Human rights", "Media", "Ngo" ] }, "other": { "adversary": [ "Ajax Security Team", "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "Rocket Kitten" ], "malware_families": [ "Magichound.retriever", "Ghole", "Detected gholee", "Tspy_woolerg.a.", "Bkdr_ghole.b.", "Flying kitten", "Downpaper", "Hoffman", "Ishak", "Rocket kitten" ], "industries": [ "Industrial", "Energy", "Technology", "Media", "Journalists", "Aerospace", "Defense", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "5a26d621cdfd16043af60a9a", "name": "Iranian cyber espionage against HBO, human rights activists, academic researchers and media outlets", "description": "Charming Kitten is an Iranian cyberespionage group operating since approximately 2014. This report exposes\ntheir vast espionage apparatus, active during 2016-2017. We present incidents of company impersonation,\nmade up organizations and individuals, spear phishing and watering hole attacks. We analyze their\nexploitation, delivery, and command-and-control infrastructure, and expose DownPaper, a malware\ndeveloped by the attackers, which has not been publicly documented to date.", "modified": "2017-12-05T17:23:45.194000", "created": "2017-12-05T17:23:45.194000", "tags": [ "rocket kitten", "Turk Black Hat", "irgc", "iran" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [ "Israel" ], "malware_families": [], "attack_ids": [], "industries": [ "Media", "NGO", "Human Rights", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 28, "domain": 219, "FileHash-SHA256": 6, "URL": 4, "hostname": 216, "FileHash-MD5": 45, "FileHash-SHA1": 8 }, "indicator_count": 526, "is_author": false, "is_subscribing": null, "subscriber_count": 386620, "modified_text": "3098 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68650f1136a4ca758ba1611a", "name": "Iranian APT actor-APT35 pt2", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:50:57.084000", "tags": [], "references": [ "APT35 pt2.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 331, "email": 5, "hostname": 412 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686510765c13a0e97e20cb9c", "name": "Iranian APT actor-APT35 pt3", "description": "", "modified": "2025-08-01T10:03:06.225000", "created": "2025-07-02T10:56:54.075000", "tags": [], "references": [ "APT35 pt3.pdf" ], "public": 1, "adversary": "APT35, Charming Kitten, Mint Sandstorm, Cobalt Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 124, "FileHash-SHA1": 103, "FileHash-SHA256": 106, "CVE": 6, "domain": 337, "email": 4, "hostname": 229 }, "indicator_count": 909, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "303 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da2a443f27d56616b9a530", "name": "Charming Kitten", "description": "A report by ClearSky Cyber Security, 2017, exposes a vast Iranian cyberespionage apparatus, which targets human rights activists, academic researchers and media outlets, and exposes the connection between an Iranian national recently indicted for hacking HBO.", "modified": "2022-08-20T00:02:32.698000", "created": "2022-07-22T04:40:36.129000", "tags": [ "downpaper", "magichound.retriever", "rocket kitten", "flying kitten" ], "references": [ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [ "Saudi Arabia", "Denmark", "India", "United Arab Emirates", "Switzerland", "Germany", "France", "Turkey", "Israel", "United States of America", "Iran, Islamic Republic of" ], "malware_families": [ { "id": "DownPaper", "display_name": "DownPaper", "target": null }, { "id": "MAGICHOUND.RETRIEVER", "display_name": "MAGICHOUND.RETRIEVER", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [ "Technology", "Government", "Energy", "Journalists", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA1": 45, "FileHash-SHA256": 45, "URL": 9, "domain": 313, "email": 5, "hostname": 224 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1380 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "google-verify.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "google-verify.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223377.6236875 }