{ "type": "Domain", "indicator": "googlevchrome.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/googlevchrome.com", "alexa": "http://www.alexa.com/siteinfo/googlevchrome.com", "indicator": "googlevchrome.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4035863019, "indicator": "googlevchrome.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6879f8fcecc13fd4ad77e76d", "name": "Chinese Malware Delivery Domains: Part III", "description": "This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake application download sites and update prompts. The actor has made operational changes, including anti-automation measures, reduced site tracker services, increased server distribution, and more discreet registration details. The campaign uses fake login pages, marketing apps, and cryptocurrency-related apps to distribute malware. The actor's motivations appear to be financially driven, potentially including credential theft, financial theft, and access brokering. The report emphasizes the importance of user awareness, enhanced security measures, and multi-layered defense strategies to counter this persistent threat.", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-18T07:34:20.203000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687e1ad284872df7fdd74ce1", "name": "Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-20T10:01:02.432000", "created": "2025-07-21T10:47:46.801000", "tags": [ "url https", "indicator", "type" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 23, "FileHash-SHA256": 24, "domain": 1175, "hostname": 4 }, "indicator_count": 1251, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687df49eaf1af13ad0a3aded", "name": "Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-21T08:04:46.438000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6879f8fcecc13fd4ad77e76d", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687f04dd38fbf121138122b6", "name": "IOC - Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-22T03:26:21.248000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6879f8fcecc13fd4ad77e76d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682edfa974c7d127e8d76d48", "name": "2025/CNMalwareDelivery-Pt2", "description": "The full list of Pembrokeshire-based Porthcawl-droed Prawdiau (PwC) has been released, with the help of a few of its own.", "modified": "2025-05-22T08:26:17.524000", "created": "2025-05-22T08:26:17.524000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1169, "hostname": 1 }, "indicator_count": 1170, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "377 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ab7328eaf53dbe1a62d302", "name": "Chinese Malware Delivery Websites Part II: Data Collection", "description": "Cluster 2 from the same actor targeting Chinese-speaking VPN users, among other apps. Cluster 1 was largely indiscriminate, while Cluster 2 involved much more data collection and selective delivery.\n\nhttps://dti.domaintools.com/chinese-malware-delivery-domains-part-ii-data-collection/", "modified": "2025-02-11T15:56:24.759000", "created": "2025-02-11T15:56:24.759000", "tags": [], "references": [ "CNMalwareDelivery", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery", "https://dti.domaintools.com" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "icampbell", "id": "308595", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308595/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1168, "hostname": 1 }, "indicator_count": 1169, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "477 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii", "CNMalwareDelivery", "https://dti.domaintools.com", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery", "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii/" ], "related": { "alienvault": { "adversary": [ "SilverFox" ], "malware_families": [], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "SilverFox" ], "malware_families": [ "Valleyrat", "Gh0st rat" ], "industries": [ "Finance", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6879f8fcecc13fd4ad77e76d", "name": "Chinese Malware Delivery Domains: Part III", "description": "This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake application download sites and update prompts. The actor has made operational changes, including anti-automation measures, reduced site tracker services, increased server distribution, and more discreet registration details. The campaign uses fake login pages, marketing apps, and cryptocurrency-related apps to distribute malware. The actor's motivations appear to be financially driven, potentially including credential theft, financial theft, and access brokering. The report emphasizes the importance of user awareness, enhanced security measures, and multi-layered defense strategies to counter this persistent threat.", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-18T07:34:20.203000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 387178, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687e1ad284872df7fdd74ce1", "name": "Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-20T10:01:02.432000", "created": "2025-07-21T10:47:46.801000", "tags": [ "url https", "indicator", "type" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 23, "FileHash-SHA256": 24, "domain": 1175, "hostname": 4 }, "indicator_count": 1251, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687df49eaf1af13ad0a3aded", "name": "Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-21T08:04:46.438000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6879f8fcecc13fd4ad77e76d", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687f04dd38fbf121138122b6", "name": "IOC - Chinese Malware Delivery Domains: Part III", "description": "", "modified": "2025-08-17T07:00:08.502000", "created": "2025-07-22T03:26:21.248000", "tags": [ "fake-updates", "windows", "phishing", "cryptocurrency" ], "references": [ "https://dti.domaintools.com/chinese-malware-delivery-domains-part-iii" ], "public": 1, "adversary": "SilverFox", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6879f8fcecc13fd4ad77e76d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1131, "hostname": 4, "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 23 }, "indicator_count": 1164, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682edfa974c7d127e8d76d48", "name": "2025/CNMalwareDelivery-Pt2", "description": "The full list of Pembrokeshire-based Porthcawl-droed Prawdiau (PwC) has been released, with the help of a few of its own.", "modified": "2025-05-22T08:26:17.524000", "created": "2025-05-22T08:26:17.524000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1169, "hostname": 1 }, "indicator_count": 1170, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "377 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ab7328eaf53dbe1a62d302", "name": "Chinese Malware Delivery Websites Part II: Data Collection", "description": "Cluster 2 from the same actor targeting Chinese-speaking VPN users, among other apps. Cluster 1 was largely indiscriminate, while Cluster 2 involved much more data collection and selective delivery.\n\nhttps://dti.domaintools.com/chinese-malware-delivery-domains-part-ii-data-collection/", "modified": "2025-02-11T15:56:24.759000", "created": "2025-02-11T15:56:24.759000", "tags": [], "references": [ "CNMalwareDelivery", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CNMalwareDelivery", "https://dti.domaintools.com" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "icampbell", "id": "308595", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308595/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1168, "hostname": 1 }, "indicator_count": 1169, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "477 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "googlevchrome.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "googlevchrome.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780517343.2936687 }