{ "type": "Domain", "indicator": "govnp.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/govnp.org", "alexa": "http://www.alexa.com/siteinfo/govnp.org", "indicator": "govnp.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3803492442, "indicator": "govnp.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68e3799426081d966136f26a", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia", "description": "APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware in open directories. Over 50 malicious domains were uncovered across various platforms, with Pakistan accounting for 40% of the identified domains. The campaign utilizes maritime and port-themed lures to target government and military entities. SideWinder's infrastructure overlaps with legacy C2 assets, indicating recycling across multiple years. The group maintains a high operational tempo, with new phishing domains emerging every 3-5 days.", "modified": "2025-11-05T08:00:35.320000", "created": "2025-10-06T08:11:00.647000", "tags": [ "south asia", "apt", "government", "phishing", "credential harvesting", "military" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Bangladesh", "Myanmar", "Nepal", "Pakistan", "Singapore", "Sri Lanka" ], "malware_families": [ { "id": "AdobeUpdateCore.exe", "display_name": "AdobeUpdateCore.exe", "target": null }, { "id": "EdgUpdate.exe", "display_name": "EdgUpdate.exe", "target": null }, { "id": "gwadardxgi.dll", "display_name": "gwadardxgi.dll", "target": null }, { "id": "agent2.malz", "display_name": "agent2.malz", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 19, "domain": 8, "hostname": 13 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ee2a89e636295bd71edbe", "name": "SideWinder", "description": "These SideWinder indicators were identified by pivoting on the pulse referenced below.", "modified": "2026-05-21T10:47:04.750000", "created": "2026-05-21T10:47:04.750000", "tags": [ "SideWinder", "Side Winder" ], "references": [ "https://otx.alienvault.com/pulse/64a77d566d9dee954cabc22b", "https://otx.alienvault.com/pulse/6897447b49f0971e56200788" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "merc922x", "id": "30199", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "hostname": 1, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f8392707ad81c3927f03", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia", "description": "", "modified": "2025-11-05T08:00:35.320000", "created": "2025-10-08T05:35:53.033000", "tags": [ "south asia", "apt", "government", "phishing", "credential harvesting", "military" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Bangladesh", "Myanmar", "Nepal", "Pakistan", "Singapore", "Sri Lanka" ], "malware_families": [ { "id": "AdobeUpdateCore.exe", "display_name": "AdobeUpdateCore.exe", "target": null }, { "id": "EdgUpdate.exe", "display_name": "EdgUpdate.exe", "target": null }, { "id": "gwadardxgi.dll", "display_name": "gwadardxgi.dll", "target": null }, { "id": "agent2.malz", "display_name": "agent2.malz", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Transportation" ], "TLP": "white", "cloned_from": "68e3799426081d966136f26a", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 19, "domain": 8, "hostname": 13 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e0181a7ba78df1c5d898fd", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia.", "description": "Operation SouthNet, attributed to the SideWinder threat actor, has seen an extensive escalation of phishing and malware activities throughout South Asia. Analysis revealed over 50 malicious domains used for hosting fake Outlook and Zimbra portals aimed at credential harvesting. The campaign has been diversified across five countries, with Pakistan comprising approximately 40% of the identified domains. Techniques employed include the distribution of weaponized documents themed around governmental affairs, underscoring the targeting of sensitive sectors.\n\nThe operation was operational in August 2025, and it specifically aimed at government and defense organizations across Nepal, Bangladesh, and Turkey. SideWinder leveraged free hosting platforms such as Netlify and http://pages.dev to deploy its phishing infrastructure.", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-03T18:38:18.150000", "tags": [ "nepal", "pakistan", "ministry", "sidewinder", "sri lanka", "apt sidewinder", "south asia", "bangladesh", "phishing", "zimbra", "wave", "demon", "assembly", "defense", "energy", "android", "sector", "rapid", "credential theft" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Bangladesh", "Nepal", "Sri Lanka", "Myanmar", "T\u00fcrkiye", "Singapore", "China" ], "malware_families": [ { "id": "Credential Theft", "display_name": "Credential Theft", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Military", "Defense", "Marine", "Foreign Affairs", "Maritime", "Political", "Finance", "Telecom", "Aerospace" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 63, "domain": 10, "hostname": 59 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658f40912596bcdb19e1dba2", "name": "A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government - Netskope", "description": "Netskope helps the largest agencies and enterprises in the world secure their journey to the cloud and the Zero Trust (SASE) architecture for the next generation of SASE Branch services and services.", "modified": "2023-12-29T21:56:33.198000", "created": "2023-12-29T21:56:33.198000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "883 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658c2d0dd19a4994481d9f39", "name": "A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government - Netskope", "description": "Netskope helps the largest agencies and enterprises in the world secure their journey to the cloud and the Zero Trust (SASE) architecture for the next generation of SASE Branch services and services.", "modified": "2023-12-27T13:56:29.474000", "created": "2023-12-27T13:56:29.474000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4, "URL": 15 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6585a1a8b57a73cd544ad6ed", "name": "Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware", "description": "A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.\n\n\"Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation,\" Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.", "modified": "2023-12-22T14:48:08.673000", "created": "2023-12-22T14:48:08.673000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government", "https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing", "https://otx.alienvault.com/pulse/6897447b49f0971e56200788", "IOCs-MAY2.csv", "https://otx.alienvault.com/pulse/64a77d566d9dee954cabc22b", "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government", "https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.html", "IOCs_Oct week-1.pdf" ], "related": { "alienvault": { "adversary": [ "RAZOR TIGER" ], "malware_families": [ "Agent2.malz", "Adobeupdatecore.exe", "Gwadardxgi.dll", "Edgupdate.exe" ], "industries": [ "Government", "Transportation", "Defense" ] }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "SideWinder", "Multiple APT/Malware" ], "malware_families": [ "Agent2.malz", "Adobeupdatecore.exe", "Gwadardxgi.dll", "Edgupdate.exe", "Credential theft", "Nim" ], "industries": [ "Foreign affairs", "Government", "Political", "Transportation", "Maritime", "Telecom", "Marine", "Aerospace", "Finance", "Military", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68e3799426081d966136f26a", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia", "description": "APT SideWinder has launched a new targeted operation dubbed Operation SouthNet, focusing on the maritime sector in South Asia, particularly Pakistan and Sri Lanka. The group leverages free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, while staging malware in open directories. Over 50 malicious domains were uncovered across various platforms, with Pakistan accounting for 40% of the identified domains. The campaign utilizes maritime and port-themed lures to target government and military entities. SideWinder's infrastructure overlaps with legacy C2 assets, indicating recycling across multiple years. The group maintains a high operational tempo, with new phishing domains emerging every 3-5 days.", "modified": "2025-11-05T08:00:35.320000", "created": "2025-10-06T08:11:00.647000", "tags": [ "south asia", "apt", "government", "phishing", "credential harvesting", "military" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Bangladesh", "Myanmar", "Nepal", "Pakistan", "Singapore", "Sri Lanka" ], "malware_families": [ { "id": "AdobeUpdateCore.exe", "display_name": "AdobeUpdateCore.exe", "target": null }, { "id": "EdgUpdate.exe", "display_name": "EdgUpdate.exe", "target": null }, { "id": "gwadardxgi.dll", "display_name": "gwadardxgi.dll", "target": null }, { "id": "agent2.malz", "display_name": "agent2.malz", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 19, "domain": 8, "hostname": 13 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0ee2a89e636295bd71edbe", "name": "SideWinder", "description": "These SideWinder indicators were identified by pivoting on the pulse referenced below.", "modified": "2026-05-21T10:47:04.750000", "created": "2026-05-21T10:47:04.750000", "tags": [ "SideWinder", "Side Winder" ], "references": [ "https://otx.alienvault.com/pulse/64a77d566d9dee954cabc22b", "https://otx.alienvault.com/pulse/6897447b49f0971e56200788" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "merc922x", "id": "30199", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "hostname": 1, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f8392707ad81c3927f03", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia", "description": "", "modified": "2025-11-05T08:00:35.320000", "created": "2025-10-08T05:35:53.033000", "tags": [ "south asia", "apt", "government", "phishing", "credential harvesting", "military" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Bangladesh", "Myanmar", "Nepal", "Pakistan", "Singapore", "Sri Lanka" ], "malware_families": [ { "id": "AdobeUpdateCore.exe", "display_name": "AdobeUpdateCore.exe", "target": null }, { "id": "EdgUpdate.exe", "display_name": "EdgUpdate.exe", "target": null }, { "id": "gwadardxgi.dll", "display_name": "gwadardxgi.dll", "target": null }, { "id": "agent2.malz", "display_name": "agent2.malz", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Government", "Defense", "Transportation" ], "TLP": "white", "cloned_from": "68e3799426081d966136f26a", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 19, "domain": 8, "hostname": 13 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e0181a7ba78df1c5d898fd", "name": "Operation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia.", "description": "Operation SouthNet, attributed to the SideWinder threat actor, has seen an extensive escalation of phishing and malware activities throughout South Asia. Analysis revealed over 50 malicious domains used for hosting fake Outlook and Zimbra portals aimed at credential harvesting. The campaign has been diversified across five countries, with Pakistan comprising approximately 40% of the identified domains. Techniques employed include the distribution of weaponized documents themed around governmental affairs, underscoring the targeting of sensitive sectors.\n\nThe operation was operational in August 2025, and it specifically aimed at government and defense organizations across Nepal, Bangladesh, and Turkey. SideWinder leveraged free hosting platforms such as Netlify and http://pages.dev to deploy its phishing infrastructure.", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-03T18:38:18.150000", "tags": [ "nepal", "pakistan", "ministry", "sidewinder", "sri lanka", "apt sidewinder", "south asia", "bangladesh", "phishing", "zimbra", "wave", "demon", "assembly", "defense", "energy", "android", "sector", "rapid", "credential theft" ], "references": [ "https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Bangladesh", "Nepal", "Sri Lanka", "Myanmar", "T\u00fcrkiye", "Singapore", "China" ], "malware_families": [ { "id": "Credential Theft", "display_name": "Credential Theft", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Military", "Defense", "Marine", "Foreign Affairs", "Maritime", "Political", "Finance", "Telecom", "Aerospace" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 63, "domain": 10, "hostname": 59 }, "indicator_count": 147, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658f40912596bcdb19e1dba2", "name": "A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government - Netskope", "description": "Netskope helps the largest agencies and enterprises in the world secure their journey to the cloud and the Zero Trust (SASE) architecture for the next generation of SASE Branch services and services.", "modified": "2023-12-29T21:56:33.198000", "created": "2023-12-29T21:56:33.198000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "883 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658c2d0dd19a4994481d9f39", "name": "A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government - Netskope", "description": "Netskope helps the largest agencies and enterprises in the world secure their journey to the cloud and the Zero Trust (SASE) architecture for the next generation of SASE Branch services and services.", "modified": "2023-12-27T13:56:29.474000", "created": "2023-12-27T13:56:29.474000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4, "URL": 15 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "885 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6585a1a8b57a73cd544ad6ed", "name": "Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware", "description": "A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.\n\n\"Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation,\" Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said.", "modified": "2023-12-22T14:48:08.673000", "created": "2023-12-22T14:48:08.673000", "tags": [ "c server", "user", "vbscript", "netskope threat", "nim backdoor", "word document", "office", "vba code", "dark power", "menorah malware", "exact", "jack", "class", "sandbox", "nim" ], "references": [ "https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government", "https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 333, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "890 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "govnp.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "govnp.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780203631.3310928 }