{ "type": "Domain", "indicator": "gsonx.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gsonx.com", "alexa": "http://www.alexa.com/siteinfo/gsonx.com", "indicator": "gsonx.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3236046237, "indicator": "gsonx.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2bd69d7ddf6e60e5188ea", "name": "Android devices ship with firmware-level malware", "description": "Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.", "modified": "2026-04-23T16:19:26.926000", "created": "2026-03-24T16:35:53.192000", "tags": [ "c2 server", "domain name", "armor", "keenadu", "ip address", "bold k50", "sha256 hash", "g84 firmware", "sha1", "armor x13" ], "references": [ "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c70c5de80512e1628bfaf", "name": "Keenadu Android Backdoor Embedded in Firmware Enables Full Device Compromise", "description": "Facebook, Twitter, Facebook, Instagram, Snapchat and other sites are all open to comment on the latest developments from the world's largest social media platforms, as well as those of their own..", "modified": "2026-03-25T15:04:14.473000", "created": "2026-02-23T15:22:45.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 41, "domain": 18 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997fce17ae6ac720fec14c5", "name": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "description": "Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.", "modified": "2026-03-22T06:07:27.526000", "created": "2026-02-20T06:19:13.198000", "tags": [ "keenadu", "applications", "nova clicker", "payload cdn" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 58, "FileHash-SHA256": 58, "domain": 19, "hostname": 5 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762e8ad3e3432e9666e98", "name": "Keenadu Android Malware Preinstalled on New Devices", "description": "Researchers have identified a new \"backdoor\" in the Android operating system, which can be installed on \"new\" devices on a \"thousands of devices\" on which they are currently operating.", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:15.999000", "tags": [ "https", "ctia type", "date", "february", "time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 23, "FileHash-SHA1": 21, "FileHash-SHA256": 21 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fa9bec23f3ef35b68213", "name": "Keenadu Android Malware Infects Firmware, Spreads via Google Play for Remote Control Access", "description": "Kaspersky has published a detailed analysis of Keenadu, a sophisticated Android backdoor that infects device firmware, spreads through Google Play apps, and allows attackers to take control over victims' devices.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:57:15.413000", "tags": [ "google play", "triada", "keenadu", "alldocube", "badbox", "keenadu android", "malware a", "february", "triada trojan", "zygote process", "april", "android", "temu", "vo1d" ], "references": [ "https://cybersecuritynews.com/keenadu-android-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Japan", "Germany", "Brazil" ], "malware_families": [ { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fad7174769b1329ac21b", "name": "Keenadu the tablet conqueror and the links between major Android botnets | Securelist", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:58:15.315000", "tags": [ "adware", "badbox", "botnets", "google android", "keenadu", "malware", "malware descriptions", "malware technologies", "mobile malware", "triada", "trojan", "trojan clicker", "vo1d", "c2 server", "keenadu loader", "google play", "android", "md5 hash", "heur", "nova", "phantom", "april", "august", "temu", "clicker", "wallpaper", "facebook", "telegram" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "URL": 1, "domain": 23, "hostname": 10, "email": 1 }, "indicator_count": 241, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ae49ebd94603d440f024", "name": "Keenadu Botnet", "description": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:19:19.747000", "tags": [ "reverse dns", "forward dns", "http", "software", "openbsd openssh", "f5 nginx", "matched fields", "us technology", "frankfurt", "main", "hesse", "godaddycomllc", "phoenix", "keenadu" ], "references": [ "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "vo1d", "display_name": "vo1d", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 68, "URL": 1 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995b253d7733329100f6f27", "name": "Keenadu", "description": "The new Keenadu backdoor exposes links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:36:33.547000", "tags": [ "entity", "Malware", "Backdoor", "C2", "Keenadu" ], "references": [ "https://www.virustotal.com/graph/embed/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8?theme=dark", "g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 347, "domain": 37, "hostname": 73 }, "indicator_count": 477, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8?theme=dark", "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "IOCs.2026.pdf", "IOCs2.csv", "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews", "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware", "https://securelist.com/keenadu-android-backdoor/118913/", "g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8.json", "https://cybersecuritynews.com/keenadu-android-malware/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [ "Badbox", "Triada", "Vo1d", "Keenadu" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2bd69d7ddf6e60e5188ea", "name": "Android devices ship with firmware-level malware", "description": "Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.", "modified": "2026-04-23T16:19:26.926000", "created": "2026-03-24T16:35:53.192000", "tags": [ "c2 server", "domain name", "armor", "keenadu", "ip address", "bold k50", "sha256 hash", "g84 firmware", "sha1", "armor x13" ], "references": [ "https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 19, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c70c5de80512e1628bfaf", "name": "Keenadu Android Backdoor Embedded in Firmware Enables Full Device Compromise", "description": "Facebook, Twitter, Facebook, Instagram, Snapchat and other sites are all open to comment on the latest developments from the world's largest social media platforms, as well as those of their own..", "modified": "2026-03-25T15:04:14.473000", "created": "2026-02-23T15:22:45.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 41, "FileHash-SHA256": 41, "domain": 18 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6997fce17ae6ac720fec14c5", "name": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "description": "Malicious software infected with the Keenadu operating system can be detected by analysing the code's code, as well as the software itself, in order to use it to run its own software.", "modified": "2026-03-22T06:07:27.526000", "created": "2026-02-20T06:19:13.198000", "tags": [ "keenadu", "applications", "nova clicker", "payload cdn" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 75, "FileHash-SHA1": 58, "FileHash-SHA256": 58, "domain": 19, "hostname": 5 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699762e8ad3e3432e9666e98", "name": "Keenadu Android Malware Preinstalled on New Devices", "description": "Researchers have identified a new \"backdoor\" in the Android operating system, which can be installed on \"new\" devices on a \"thousands of devices\" on which they are currently operating.", "modified": "2026-03-21T19:09:28.611000", "created": "2026-02-19T19:22:15.999000", "tags": [ "https", "ctia type", "date", "february", "time" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "FileHash-MD5": 23, "FileHash-SHA1": 21, "FileHash-SHA256": 21 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fa9bec23f3ef35b68213", "name": "Keenadu Android Malware Infects Firmware, Spreads via Google Play for Remote Control Access", "description": "Kaspersky has published a detailed analysis of Keenadu, a sophisticated Android backdoor that infects device firmware, spreads through Google Play apps, and allows attackers to take control over victims' devices.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:57:15.413000", "tags": [ "google play", "triada", "keenadu", "alldocube", "badbox", "keenadu android", "malware a", "february", "triada trojan", "zygote process", "april", "android", "temu", "vo1d" ], "references": [ "https://cybersecuritynews.com/keenadu-android-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Japan", "Germany", "Brazil" ], "malware_families": [ { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6996fad7174769b1329ac21b", "name": "Keenadu the tablet conqueror and the links between major Android botnets | Securelist", "description": "", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:58:15.315000", "tags": [ "adware", "badbox", "botnets", "google android", "keenadu", "malware", "malware descriptions", "malware technologies", "mobile malware", "triada", "trojan", "trojan clicker", "vo1d", "c2 server", "keenadu loader", "google play", "android", "md5 hash", "heur", "nova", "phantom", "april", "august", "temu", "clicker", "wallpaper", "facebook", "telegram" ], "references": [ "https://securelist.com/keenadu-android-backdoor/118913/?utm_source=cybersecuritynews" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 61, "FileHash-SHA256": 61, "URL": 1, "domain": 23, "hostname": 10, "email": 1 }, "indicator_count": 241, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "72 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995ae49ebd94603d440f024", "name": "Keenadu Botnet", "description": "Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:19:19.747000", "tags": [ "reverse dns", "forward dns", "http", "software", "openbsd openssh", "f5 nginx", "matched fields", "us technology", "frankfurt", "main", "hesse", "godaddycomllc", "phoenix", "keenadu" ], "references": [ "https://www.virustotal.com/graph/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8", "https://securelist.com/keenadu-android-backdoor/118913/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "vo1d", "display_name": "vo1d", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 68, "URL": 1 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6995b253d7733329100f6f27", "name": "Keenadu", "description": "The new Keenadu backdoor exposes links between major Android botnets", "modified": "2026-03-20T12:02:30.782000", "created": "2026-02-18T12:36:33.547000", "tags": [ "entity", "Malware", "Backdoor", "C2", "Keenadu" ], "references": [ "https://www.virustotal.com/graph/embed/g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8?theme=dark", "g64c2194c54614365a0962f458e9fdfa7d36bc70a897941dbbd9d60c4319fcff8.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Keenadu", "display_name": "Keenadu", "target": null }, { "id": "BADBOX", "display_name": "BADBOX", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Vulcanraven", "id": "167674", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 347, "domain": 37, "hostname": 73 }, "indicator_count": 477, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gsonx.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gsonx.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780364902.2487254 }