{ "type": "Domain", "indicator": "gov-a.work", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gov-a.work", "alexa": "http://www.alexa.com/siteinfo/gov-a.work", "indicator": "gov-a.work", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4168342803, "indicator": "gov-a.work", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "694c56d0f3f466a559e3f352", "name": "Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.", "modified": "2026-01-23T21:04:49.672000", "created": "2025-12-24T21:10:40.201000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6972e9b3d14043530655c4d6", "name": "IOC - Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign", "description": "In early December 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive. The threat actor's primary objective is to gain persistent, elevated access to the victim's machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information.", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:23:31.664000", "tags": [ "group inchk", "campaign iocs", "initial fake", "government", "india tax", "documents", "ip addresses", "limitedhk", "centerhk", "email address" ], "references": [ "https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 188, "domain": 79, "hostname": 25 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6951f4a669119cc1cdccb831", "name": "IOC - Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "", "modified": "2026-01-23T21:04:49.672000", "created": "2025-12-29T03:25:26.003000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": "694c56d0f3f466a559e3f352", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695b44477d05b6ddc641c1d1", "name": "Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "", "modified": "2026-01-23T21:04:49.672000", "created": "2026-01-05T04:55:35.280000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": "694c56d0f3f466a559e3f352", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694edcac4f9cc8c62fee754a", "name": "aaaaaaaaaaaaaaaaaa", "description": "", "modified": "2025-12-26T19:06:20.958000", "created": "2025-12-26T19:06:20.958000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.csv", "https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign", "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures", "IOC-Dec 2025.csv" ], "related": { "alienvault": { "adversary": [ "Void Arachne" ], "malware_families": [ "Valley rat" ], "industries": [ "Government", "Finance" ] }, "other": { "adversary": [ "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "Silver Fox", "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users" ], "malware_families": [ "Valley rat" ], "industries": [ "Government", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "694c56d0f3f466a559e3f352", "name": "Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "A sophisticated campaign by the Chinese APT group Silver Fox is targeting Indian entities with authentic-looking Income Tax phishing lures. The attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. The campaign uses a multi-stage infection process, starting with a malicious email containing a PDF decoy. The payload is delivered through an NSIS installer, which drops a legitimate Thunder.exe binary and a malicious libexpat.dll for DLL hijacking. The final stage involves the Valley RAT, which uses a two-stage configuration loading mechanism and implements a 3-tier C2 communication loop. The RAT's modular plugin architecture allows for dynamic capability extension and persistence through registry-based storage.", "modified": "2026-01-23T21:04:49.672000", "created": "2025-12-24T21:10:40.201000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6972e9b3d14043530655c4d6", "name": "IOC - Weaponized in China, Deployed in India: The SyncFuture Espionage Targeted Campaign", "description": "In early December 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign deploying a sophisticated, multi-stage backdoor for the likely purpose of long-term espionage. The campaign targets residents of India with phishing emails that impersonate the Income Tax Department of India, luring victims into downloading a malicious archive. The threat actor's primary objective is to gain persistent, elevated access to the victim's machine for continuous monitoring of user activities, file operations, and exfiltration of sensitive information.", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:23:31.664000", "tags": [ "group inchk", "campaign iocs", "initial fake", "government", "india tax", "documents", "ip addresses", "limitedhk", "centerhk", "email address" ], "references": [ "https://www.esentire.com/blog/weaponized-in-china-deployed-in-india-the-syncfuture-espionage-targeted-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 188, "domain": 79, "hostname": 25 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6951f4a669119cc1cdccb831", "name": "IOC - Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "", "modified": "2026-01-23T21:04:49.672000", "created": "2025-12-29T03:25:26.003000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": "694c56d0f3f466a559e3f352", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695b44477d05b6ddc641c1d1", "name": "Silver Fox Targeting India Using Tax Themed Phishing Lures", "description": "", "modified": "2026-01-23T21:04:49.672000", "created": "2026-01-05T04:55:35.280000", "tags": [ "phishing", "india", "valley rat", "dll hijacking", "tax-themed", "multi-stage attack", "apt", "c2 communication", "chinese threat actor" ], "references": [ "https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Valley RAT", "display_name": "Valley RAT", "target": null } ], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": "694c56d0f3f466a559e3f352", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 16, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694edcac4f9cc8c62fee754a", "name": "aaaaaaaaaaaaaaaaaa", "description": "", "modified": "2025-12-26T19:06:20.958000", "created": "2025-12-26T19:06:20.958000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 5, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "155 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gov-a.work", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gov-a.work", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200642.3461652 }