{ "type": "Domain", "indicator": "gruta.com.mx", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gruta.com.mx", "alexa": "http://www.alexa.com/siteinfo/gruta.com.mx", "indicator": "gruta.com.mx", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4344003333, "indicator": "gruta.com.mx", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a0a7f3d0f7b11663cef4cf8", "name": "Malware sites", "description": "Malware sites Mexico TLD", "modified": "2026-05-18T02:53:49.423000", "created": "2026-05-18T02:53:49.423000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "carlosxr7", "id": "50553", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_50553/resized/80/avatar_7684c667da.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 12, "hostname": 5 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd43feac04ff5eaf4bab53", "name": "IOC - VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access", "description": "Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research.", "modified": "2026-05-08T02:01:34.845000", "created": "2026-05-08T02:01:34.845000", "tags": [ "mx domain", "index datacom", "direct payload", "url ipv4", "simplehelp c2", "udphttp 5555", "ipv4", "ionos de", "as8560", "fqdn url" ], "references": [ "https://www.securonix.com/blog/venomous-helper-phishing-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.csv", "https://www.securonix.com/blog/venomous-helper-phishing-campaign" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a0a7f3d0f7b11663cef4cf8", "name": "Malware sites", "description": "Malware sites Mexico TLD", "modified": "2026-05-18T02:53:49.423000", "created": "2026-05-18T02:53:49.423000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "carlosxr7", "id": "50553", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_50553/resized/80/avatar_7684c667da.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 12, "hostname": 5 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd43feac04ff5eaf4bab53", "name": "IOC - VENOMOUS#HELPER: Dual-RMM Phishing Campaign Leveraging JWrapper-Packaged SimpleHelp and ScreenConnect for Silent Remote Access", "description": "Phishing campaigns leveraging remote management tools is nothing new. Securonix Threat Research has conducted in-depth dynamic analysis of an ongoing phishing campaign targeting multiple vectors, active since at least April 2025. The campaign has impacted over 80 organizations, predominantly in the United States, spanning multiple sectors. This campaign leverages vendor-signed Remote Monitoring and Management (RMM) software to establish silent, persistent access. In this case, a customized SimpleHelp and SecureConnect RMMs are used to bypass defenses as they are legitimately installed by the unsuspecting victim. This campaign appears to have been tracked previously by Sophos (tracked as STAC6405) and Redcanary independently while the indicators and behavior within this advisory support and extend the depth of their respective research.", "modified": "2026-05-08T02:01:34.845000", "created": "2026-05-08T02:01:34.845000", "tags": [ "mx domain", "index datacom", "direct payload", "url ipv4", "simplehelp c2", "udphttp 5555", "ipv4", "ionos de", "as8560", "fqdn url" ], "references": [ "https://www.securonix.com/blog/venomous-helper-phishing-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gruta.com.mx", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gruta.com.mx", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200926.10173 }