{ "type": "Domain", "indicator": "hackertarget.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hackertarget.com", "alexa": "http://www.alexa.com/siteinfo/hackertarget.com", "indicator": "hackertarget.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain hackertarget.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3101453080, "indicator": "hackertarget.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "69cf54dc2c334d92d90ad45b", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T06:02:28.790000", "created": "2026-04-03T05:49:13.607000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf54e17e5745f45ea8a996", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T05:49:17.778000", "created": "2026-04-03T05:49:17.778000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dcfe617051963f6fa4a7e3", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-10-31T10:03:43.999000", "created": "2025-10-01T10:11:45.879000", "tags": [], "references": [ "Sep week4.pdf" ], "public": 1, "adversary": "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 97, "FileHash-MD5": 95, "FileHash-SHA1": 117, "FileHash-SHA256": 105, "CVE": 5, "URL": 21, "hostname": 50, "email": 2 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d63373c3306792668f5d1e", "name": "RedNovember\u2019s Global Cyber-Espionage Against Defense and Government Sectors", "description": "RedNovember, a Chinese state-sponsored cyber-espionage group formerly known as TAG-100 and overlapping with Storm-2077, exemplifies the evolving tactics of nation-state actors in targeting global organizations. According to a detailed report by Recorded Future's Insikt Group, the group has expanded its operations from June 2024 to July 2025, focusing on government, defense, aerospace, and technology sectors. By exploiting vulnerabilities in edge devices such as VPNs, firewalls, and email servers from vendors like Ivanti, Palo Alto Networks, and SonicWall, RedNovember achieves initial access, often following the public release of proof-of-concept exploits. This approach lowers operational barriers and obscures attribution, allowing the group to scale intrusions while blending with less sophisticated threats.", "modified": "2025-10-26T06:00:26.624000", "created": "2025-09-26T06:32:19.379000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "insikt" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Taiwan", "Korea, Republic of", "China", "Fiji", "United States of America" ], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Government", "Defense", "Ics", "Transportation", "Military", "Aerospace", "Foreign Affairs", "Industrial", "Diplomatic", "Oil And Gas", "Financial", "Media", "Trade", "Financial Services", "Telecommunications", "Marine", "Finance", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "CVE": 4, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d6337b6543533f893f89fb", "name": "RedNovember\u2019s Global Cyber-Espionage Against Defense and Government Sectors", "description": "RedNovember, a Chinese state-sponsored cyber-espionage group formerly known as TAG-100 and overlapping with Storm-2077, exemplifies the evolving tactics of nation-state actors in targeting global organizations. According to a detailed report by Recorded Future's Insikt Group, the group has expanded its operations from June 2024 to July 2025, focusing on government, defense, aerospace, and technology sectors. By exploiting vulnerabilities in edge devices such as VPNs, firewalls, and email servers from vendors like Ivanti, Palo Alto Networks, and SonicWall, RedNovember achieves initial access, often following the public release of proof-of-concept exploits. This approach lowers operational barriers and obscures attribution, allowing the group to scale intrusions while blending with less sophisticated threats.", "modified": "2025-10-26T06:00:26.624000", "created": "2025-09-26T06:32:27.931000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "insikt" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Taiwan", "Korea, Republic of", "China", "Fiji", "United States of America" ], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Government", "Defense", "Ics", "Transportation", "Military", "Aerospace", "Foreign Affairs", "Industrial", "Diplomatic", "Oil And Gas", "Financial", "Media", "Trade", "Financial Services", "Telecommunications", "Marine", "Finance", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "CVE": 4, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4ea95e41c3309effa3661", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "RedNovember, a threat activity group now attributed to likely Chinese state-sponsored cyber-espionage, has been active in targeting a wide range of government and private organizations globally, with specific emphasis on United States, Taiwanese, and South Korean entities. Insikt Group reported significant activity from this group between July 2024 and mid-2025, including extensive reconnaissance efforts directed at over 30 Panamanian government agencies and major defence contractors in the US.", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:09:09.993000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4f38d31e113221e6d90fe", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:47:25.090000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": "68d4ea95e41c3309effa3661", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4f38fdddc98ff3a6f4ee2", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:47:27.086000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": "68d4ea95e41c3309effa3661", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651b0f416c74924644e6cb16", "name": "iitd.irins.org", "description": "", "modified": "2023-11-01T00:01:12.311000", "created": "2023-10-02T18:43:13.865000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "hostname": 59, "domain": 37, "FileHash-MD5": 680, "FileHash-SHA1": 680, "FileHash-SHA256": 3083, "JA3": 2, "CVE": 10, "email": 4 }, "indicator_count": 4575, "is_author": false, "is_subscribing": null, "subscriber_count": 81, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload", "https://www.merklemap.com/search?query=ualberta.ca&page=0", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://whois.easycounter.com/ualberta.ca", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://dnsdumpster.com/", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://whois.domaintools.com/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://www.shodan.io/search?query=ualberta.ca", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://www.criminalip.io/asset/search?query=ualberta.ca", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://centralops.net/co/", "https://viz.greynoise.io/query/AS3359", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://pastes.io/3XO0mF9Q", "https://bgpview.io/asn/3359#whois", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.whoxy.com/ualberta.ca", "Sep week4.pdf", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "https://pastebin.com/fqfVmTSv", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "Insikt" ], "malware_families": [ "Cobalt strike", "Insikt" ], "industries": [ "Finance", "Oil and gas", "Trade", "Transportation", "Diplomatic", "Higher education", "Financial services", "Education", "Technology", "Marine", "Ics", "Government", "Foreign affairs", "Financial", "Military", "Media", "Defense", "Aerospace", "Industrial", "Manufacturing", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "69cf54dc2c334d92d90ad45b", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T06:02:28.790000", "created": "2026-04-03T05:49:13.607000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q", "https://www.virustotal.com/gui/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d/detection", "https://www.filescan.io/uploads/69cf553c2346b9da57bab574/reports/94ee293e-60a9-4d72-9f74-ec3157c5c26b/ioc", "https://traceix.com/search?sha256=a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d&wait=1&tab=capa", "https://polyswarm.network/scan/results/file/a3e43f4f6f2597a450677bcd6833e4ef0015ceb7c9110d9bacc73ac12d8e4d0d", "https://metadefender.com/results/file/bzI2MDQwMzJNaU1Wd1k1RVJYcUpBeW5NMWpl", "https://opentip.kaspersky.com/A3E43F4F6F2597A450677BCD6833E4EF0015CEB7C9110D9BACC73AC12D8E4D0D/results?tab=upload" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf54e17e5745f45ea8a996", "name": "University of Alberta - Active Exploits in the Wild", "description": "These are active exploits currently being used in the wild by multiple TAs.\nReport was presented to dosdean & CISO ( \"No Problems\" ).\nReport presented to AlbertaNDP Nenshi (similar infrastructure) of Gov. Alberta", "modified": "2026-04-03T05:49:17.778000", "created": "2026-04-03T05:49:17.778000", "tags": [ "http security", "source", "detection", "informational", "vulnerable url", "checks", "http missing", "ssltls", "n description", "ssl certificate", "score", "impact", "apache", "speed", "test", "form", "find", "coldfusion", "unknown", "malware", "false", "encrypt", "critical", "bypass", "generator", "project" ], "references": [ "https://app.threat.zone/submission/15cdf13c-df91-427a-bef3-e58bc78e5d06/overview", "https://pastebin.com/fqfVmTSv", "https://pastes.io/3XO0mF9Q" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2510, "CVE": 31, "FileHash-MD5": 1, "domain": 29, "email": 1, "hostname": 541 }, "indicator_count": 3113, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b60cdecf42fb532f2ceb12", "name": "U of A DataBreach Update - 11.13.25", "description": "Domain Analysis that serves as evidence of an on-going DataBreaches at the University of Alberta with associated references.\nAnalysis demonstrates abused critical infrastructure in the Province of Alberta stemming from UAlberta as detailed in this Pulse.", "modified": "2025-12-13T22:01:27.739000", "created": "2025-09-01T21:15:10.117000", "tags": [ "as16509", "amazon02", "redirect", "tags", "as14618", "amazonaes", "search", "public", "search live", "api blog", "patch http", "please", "javascript", "url", "website", "web", "scanner", "analyze", "analyzer", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login", "greynoise", "visualizer skip", "service status", "company blog", "us careers", "policies vpat", "slo privacy", "cookie patent", "copyright", "google privacy", "sandbox", "reputation", "phishing", "malware", "amazon web", "services", "warning icon", "share report", "systems", "cloudflare", "varnish", "nginx", "apache", "write", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "course", "program", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "UAlberta" ], "references": [ "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/iocs", "https://www.virustotal.com/gui/collection/081aaa3e4cc9594cebbd39781c156d337527737e7123481e44ca9de1b39852ee/summary", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://viz.greynoise.io/ip/analysis/d90b0bd7-aaa1-4ea6-93c1-92bfd2d8f930", "https://urlquery.net/report/e9f9c430-fb2f-4166-8bfb-500339fdb9c0", "https://www.filescan.io/uploads/68b608d639a6221faa7935aa/reports/dd218cea-f81d-43ed-97fe-dd8c5aec52a3/ioc", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43", "https://viz.greynoise.io/query/AS3359", "https://www.virustotal.com/graph/embed/g4022b02acb3b46ddb4b24043845853d9f56a84d80b5849188fee79c90217d4ca?theme=dark", "http://ci-www.threatcrowd.org/domain.php?domain=ualberta.ca", "https://www.urlvoid.com/dns-records-lookup/", "https://www.shodan.io/search?query=ualberta.ca", "https://dnsdumpster.com/", "https://bgpview.io/asn/3359#whois", "https://centralops.net/co/", "https://app.netlas.io/domains/stats/?facets=domain&indices=&q=domain%3A%2A.ualberta.ca&size=1100", "09.10.25 - https://viz.greynoise.io/ip/analysis/df2c8c37-f8f2-4398-b709-7c716b03b697", "09.10.25 - https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://hybrid-analysis.com/sample/3b036b4b2b1d24e19238c6af7bbfaba465cf54cb2f9aab048002deddeafb7f43/680e723df123be6c63004290", "https://www.criminalip.io/asset/search?query=ualberta.ca", "09.20.25 - https://urlscan.io/search/#page.domain%3Aualberta.ca", "https://app.threat.zone/submission/c70698bf-881e-491a-a582-eee634b4bf73/url-analysis-report", "https://whois.domaintools.com/ualberta.ca", "https://research.domaintools.com/research/whois-history/search/?q=ualberta.ca", "https://viewdns.info/iphistory/?domain=ualberta.ca", "https://viewdns.info/portscan/?host=ualberta.ca", "https://whois.easycounter.com/ualberta.ca", "https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=ualberta.ca", "https://who.is/whois/ualberta.ca", "https://www.robtex.com/en/dns-lookup/ca/ualberta", "https://www.whoxy.com/ualberta.ca", "https://reverseip.domaintools.com/search/?q=ualberta.ca", "https://bgp.he.net/dns/ualberta.ca", "https://intelx.io/?s=ualberta.ca", "https://pulsedive.com/indicator/?indicator=ualberta.ca", "https://web.archive.org/web/20250000000000*/ualberta.ca", "https://crt.sh/?q=ualberta.ca&exclude=expired&group=none", "https://viewdns.info/traceroute/?domain=ualberta.ca", "https://centralops.net/co/DomainDossier.aspx", "https://search.odin.io/hosts?query=ualberta.ca", "https://www.merklemap.com/search?query=ualberta.ca&page=0" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9901, "domain": 790, "email": 982, "hostname": 10520, "FileHash-MD5": 550, "FileHash-SHA256": 1726, "FileHash-SHA1": 519, "SSLCertFingerprint": 64, "CIDR": 26, "CVE": 12 }, "indicator_count": 25090, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dcfe617051963f6fa4a7e3", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-10-31T10:03:43.999000", "created": "2025-10-01T10:11:45.879000", "tags": [], "references": [ "Sep week4.pdf" ], "public": 1, "adversary": "BeaverTail, Gunra Ransomware, Lockbit, Lumma Staeler, TamperedChef, RedNovember, XWorm campaign", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 97, "FileHash-MD5": 95, "FileHash-SHA1": 117, "FileHash-SHA256": 105, "CVE": 5, "URL": 21, "hostname": 50, "email": 2 }, "indicator_count": 492, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d63373c3306792668f5d1e", "name": "RedNovember\u2019s Global Cyber-Espionage Against Defense and Government Sectors", "description": "RedNovember, a Chinese state-sponsored cyber-espionage group formerly known as TAG-100 and overlapping with Storm-2077, exemplifies the evolving tactics of nation-state actors in targeting global organizations. According to a detailed report by Recorded Future's Insikt Group, the group has expanded its operations from June 2024 to July 2025, focusing on government, defense, aerospace, and technology sectors. By exploiting vulnerabilities in edge devices such as VPNs, firewalls, and email servers from vendors like Ivanti, Palo Alto Networks, and SonicWall, RedNovember achieves initial access, often following the public release of proof-of-concept exploits. This approach lowers operational barriers and obscures attribution, allowing the group to scale intrusions while blending with less sophisticated threats.", "modified": "2025-10-26T06:00:26.624000", "created": "2025-09-26T06:32:19.379000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "insikt" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Taiwan", "Korea, Republic of", "China", "Fiji", "United States of America" ], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Government", "Defense", "Ics", "Transportation", "Military", "Aerospace", "Foreign Affairs", "Industrial", "Diplomatic", "Oil And Gas", "Financial", "Media", "Trade", "Financial Services", "Telecommunications", "Marine", "Finance", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "CVE": 4, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d6337b6543533f893f89fb", "name": "RedNovember\u2019s Global Cyber-Espionage Against Defense and Government Sectors", "description": "RedNovember, a Chinese state-sponsored cyber-espionage group formerly known as TAG-100 and overlapping with Storm-2077, exemplifies the evolving tactics of nation-state actors in targeting global organizations. According to a detailed report by Recorded Future's Insikt Group, the group has expanded its operations from June 2024 to July 2025, focusing on government, defense, aerospace, and technology sectors. By exploiting vulnerabilities in edge devices such as VPNs, firewalls, and email servers from vendors like Ivanti, Palo Alto Networks, and SonicWall, RedNovember achieves initial access, often following the public release of proof-of-concept exploits. This approach lowers operational barriers and obscures attribution, allowing the group to scale intrusions while blending with less sophisticated threats.", "modified": "2025-10-26T06:00:26.624000", "created": "2025-09-26T06:32:27.931000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "insikt" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Taiwan", "Korea, Republic of", "China", "Fiji", "United States of America" ], "malware_families": [ { "id": "Insikt", "display_name": "Insikt", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Government", "Defense", "Ics", "Transportation", "Military", "Aerospace", "Foreign Affairs", "Industrial", "Diplomatic", "Oil And Gas", "Financial", "Media", "Trade", "Financial Services", "Telecommunications", "Marine", "Finance", "Higher Education", "Manufacturing", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "CVE": 4, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4ea95e41c3309effa3661", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "RedNovember, a threat activity group now attributed to likely Chinese state-sponsored cyber-espionage, has been active in targeting a wide range of government and private organizations globally, with specific emphasis on United States, Taiwanese, and South Korean entities. Insikt Group reported significant activity from this group between July 2024 and mid-2025, including extensive reconnaissance efforts directed at over 30 Panamanian government agencies and major defence contractors in the US.", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:09:09.993000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4f38d31e113221e6d90fe", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:47:25.090000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": "68d4ea95e41c3309effa3661", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d4f38fdddc98ff3a6f4ee2", "name": "RedNovember Targets Government, Defence, and Technology Organizations.", "description": "", "modified": "2025-10-25T07:04:53.661000", "created": "2025-09-25T07:47:27.086000", "tags": [ "rednovember", "insikt group", "april", "southeast asia", "march", "taiwan", "china", "cobalt strike", "south korea", "future", "august", "panama", "june", "sparkrat", "february", "reddelta", "donald trump", "blackrock", "defense", "tools", "model", "strike c2", "sha256 hash", "c2 ip", "ip address", "urls", "zip file", "pdf lure", "word document", "sha256" ], "references": [ "https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1590.006", "name": "Network Security Appliances", "display_name": "T1590.006 - Network Security Appliances" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": "68d4ea95e41c3309effa3661", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "URL": 3, "YARA": 1, "domain": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651b0f416c74924644e6cb16", "name": "iitd.irins.org", "description": "", "modified": "2023-11-01T00:01:12.311000", "created": "2023-10-02T18:43:13.865000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "hostname": 59, "domain": 37, "FileHash-MD5": 680, "FileHash-SHA1": 680, "FileHash-SHA256": 3083, "JA3": 2, "CVE": 10, "email": 4 }, "indicator_count": 4575, "is_author": false, "is_subscribing": null, "subscriber_count": 81, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hackertarget.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hackertarget.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776615347.7005827 }