{ "type": "Domain", "indicator": "gupdate.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gupdate.net", "alexa": "http://www.alexa.com/siteinfo/gupdate.net", "indicator": "gupdate.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3935240175, "indicator": "gupdate.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386972, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b090cdcc6b1efeb7afc7b9", "name": "CheckMesh: Hidden Threats in Your FW", "description": "This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.", "modified": "2024-09-04T08:03:43.335000", "created": "2024-08-05T08:43:57.589000", "tags": [ "meshagent", "encrypted communication", "advanced persistent threat", "credential theft", "firewall compromise", "lateral movement" ], "references": [ "https://hackerseye.net/all-blog-items/checkmesh" ], "public": 1, "adversary": "LilacSquid", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "MeshAgent", "display_name": "MeshAgent", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1216", "name": "Signed Script Proxy Execution", "display_name": "T1216 - Signed Script Proxy Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 213, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 1, "YARA": 4, "domain": 1, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386972, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hackerseye.net/all-blog-items/checkmesh", "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "related": { "alienvault": { "adversary": [ "Fox Kitten", "LilacSquid" ], "malware_families": [ "Meshagent" ], "industries": [ "Government", "Energy" ] }, "other": { "adversary": [ "Lemon Sandstorm" ], "malware_families": [], "industries": [ "Government", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "681a66fd8309a0fad22d97ae", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "This report details a prolonged Iranian state-sponsored intrusion into critical national infrastructure in the Middle East from May 2023 to February 2025. The threat actors employed various tactics including web shells, custom malware, and legitimate tools to maintain persistent access across multiple network segments. Key findings include the use of novel malware families like HanifNet and NeoExpressRAT, as well as extensive credential harvesting and lateral movement techniques. The intrusion demonstrated sophisticated evasion capabilities and targeted attempts to access operational technology networks. Forensic analysis revealed potential links to previously reported Iranian APT campaigns. The report provides detailed technical indicators and recommends enhanced logging, EDR deployment, and multi-factor authentication to defend against similar threats.", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-06T19:46:05.811000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Fox Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386972, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b090cdcc6b1efeb7afc7b9", "name": "CheckMesh: Hidden Threats in Your FW", "description": "This report examines an advanced cyber-attack targeting an Israeli enterprise, where a sophisticated threat actor compromised a Check Point firewall by deploying a malicious ELF implant known as MeshAgent. The implant, disguised as a legitimate process, enabled encrypted communication with the attacker's Command and Control (C2) server, granting persistent access and allowing the firewall to be transformed into a stealthy C2 node. The analysis reveals tactics, techniques, and procedures (TTPs) consistent with the LilacSquid APT group, including initial exploitation, credential theft, lateral movement, and the use of advanced stealth mechanisms. The report provides technical details, forensic analysis, and recommendations for incident response and mitigation.", "modified": "2024-09-04T08:03:43.335000", "created": "2024-08-05T08:43:57.589000", "tags": [ "meshagent", "encrypted communication", "advanced persistent threat", "credential theft", "firewall compromise", "lateral movement" ], "references": [ "https://hackerseye.net/all-blog-items/checkmesh" ], "public": 1, "adversary": "LilacSquid", "targeted_countries": [ "Israel" ], "malware_families": [ { "id": "MeshAgent", "display_name": "MeshAgent", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1216", "name": "Signed Script Proxy Execution", "display_name": "T1216 - Signed Script Proxy Execution" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 213, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 1, "YARA": 4, "domain": 1, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386972, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ac7f182949e1ea4764e41", "name": "IOC&TTP - Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "2024\u5e7411\u6708\uff0cFortiGuard \u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\uff08FGIR\uff09\u5728\u4e2d\u4e1c\u67d0\u5173\u952e\u57fa\u7840\u8bbe\u65bd\uff08CNI\uff09\u7f51\u7edc\u4e2d\u53d1\u73b0\u4e86\u4e00\u8d77\u957f\u671f\u6e17\u900f\u653b\u51fb\uff0c\u8ffd\u6eaf\u53ef\u81f32023\u5e745\u6708\uff0c\u90e8\u5206\u75d5\u8ff9\u751a\u81f3\u53ef\u8ffd\u6eaf\u81f32021\u5e745\u6708\u3002\u653b\u51fb\u8005\u88ab\u9ad8\u5ea6\u786e\u4fe1\u4e0e**\u4f0a\u6717\u56fd\u5bb6\u652f\u6301\u7684\u5a01\u80c1\u7ec4\u7ec7 Lemon Sandstorm\uff08\u53c8\u540d Fox Kitten / Pioneer Kitten\uff09**\u6709\u5173\u3002\u6b64\u6b21\u5165\u4fb5\u663e\u793a\u4e86\u56fd\u5bb6\u7ea7APT\u5bf9CNI\u73af\u5883\u6301\u4e45\u5316\u63a7\u5236\u4e0e\u7eb5\u6df1\u6e17\u900f\u7684\u5f3a\u5927\u80fd\u529b\u3002\n\n\u653b\u51fb\u8005\u6700\u521d\u901a\u8fc7\u88ab\u76d7\u7528\u7684SSL VPN\u8d26\u53f7\u8fdb\u5165\u7f51\u7edc\uff0c\u5229\u7528\u591a\u79cd\u81ea\u5b9a\u4e49\u6216\u5f00\u6e90\u6076\u610f\u8f6f\u4ef6\uff08HanifNet\u3001HXLibrary\u3001NeoExpressRAT\u3001RemoteInjector\u3001SystemBC\u3001MeshCentral \u7b49\uff09\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u3002\u5176\u5173\u952e\u76ee\u6807\u5305\u62ec\uff1a\u90ae\u4ef6\u7cfb\u7edf\u3001\u865a\u62df\u5316\u57fa\u7840\u8bbe\u65bd\u3001\u51ed\u8bc1\u6536\u96c6\u7cfb\u7edf\u53ca\u6a21\u62df\u7684OT\u7f51\u7edc\u3002\u653b\u51fb\u5de5\u5177\u7ec4\u5408\u7075\u6d3b\uff0c\u6db5\u76d6 webshell\u3001\u53cd\u5411\u4ee3\u7406\u3001\u5bc6\u7801\u94a9\u5b50DLL\u3001PowerShell\u8fdc\u63a7\u3001SSH\u3001RDP\u96a7\u9053\u7b49\u3002\n\n\u6b64\u5916\uff0c\u653b\u51fb\u8005\u8fd8\u90e8\u7f72\u4e86\u4e00\u7cfb\u5217\u9488\u5bf9\u6027\u6781\u5f3a\u7684\u9493\u9c7c\u6d3b\u52a8\u4e0eWeb\u95e8\u6237\u7be1\u6539\u624b\u6bb5\uff08\u5982\u4fee\u6539Exchange OWA\u767b\u5f55\u9875\u9762\u7684JavaScript\u4ee5\u62e6\u622a\u5bc6\u7801\uff09\uff0c\u5e76\u901a\u8fc7PoC\u4ee3\u7801\u5229\u7528\u5df2\u77e5Web\u6f0f\u6d1e\u5b9e\u65bd\u6e17\u900f\u3002\n\n\u6b64\u4e8b\u4ef6\u5c55\u793a\u4e86\u4f0a\u6717APT\u5728\u5173\u952e\u57fa\u7840\u8bbe\u65bd\u7f51\u7edc\u4e2d\u8fdb\u884c**\u60c5\u62a5\u6536\u96c6\u4e0e\u51b2\u7a81\u51c6\u5907\u5b9a\u4f4d\uff08prepositioning\uff09**\u7684\u771f\u5b9e\u610f\u56fe\u3002\u62a5\u544a\u8be6\u7ec6\u5217\u51fa\u5165\u4fb5\u65f6\u95f4\u7ebf\u3001\u6076\u610f\u4ee3\u7801\u5206\u6790\u3001TTP\u884c\u4e3a\u6a21\u5f0f\u3001MITRE ATT&CK\u6620\u5c04\u3001IOCs\u3001C2\u57df\u540d/IP\u3001APT\u5f52\u5c5e\u7ebf\u7d22\u4e0e\u5177\u4f53\u9632\u5fa1\u5efa\u8bae\u3002", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-07T02:39:45.775000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68218d8bfd3eede26d8aa89e", "name": "Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T05:56:27.300000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a99cca8c0daeb63e0e80", "name": "FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure", "description": "", "modified": "2025-06-05T19:00:06.626000", "created": "2025-05-12T07:56:12.393000", "tags": [ "apt", "credinterceptor", "custom malware", "systembc", "credential harvesting", "cve-2023-38950", "remoteinjector", "hxlibrary", "havoc", "cve-2023-38951", "critical infrastructure", "hanifnet", "cve-2023-38952", "proxy chaining", "lateral movement", "web shells", "neoexpressrat" ], "references": [ "https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf" ], "public": 1, "adversary": "Lemon Sandstorm", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1078.002", "name": "Domain Accounts", "display_name": "T1078.002 - Domain Accounts" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Energy", "Government" ], "TLP": "white", "cloned_from": "681a66fd8309a0fad22d97ae", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "domain": 8, "hostname": 7 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gupdate.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gupdate.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780441987.729231 }