{ "type": "Domain", "indicator": "hell1-kitty.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hell1-kitty.cc", "alexa": "http://www.alexa.com/siteinfo/hell1-kitty.cc", "indicator": "hell1-kitty.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4171193861, "indicator": "hell1-kitty.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d2c740aaef53bdd9ca167", "name": "IOC - Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.", "modified": "2026-05-20T03:37:24.680000", "created": "2026-05-20T03:37:24.680000", "tags": [ "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d0d30d3c1f85cb653d59d", "name": "IOC - Microsoft\u2019s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows", "description": "Cybercriminals abuse legitimate, albeit legacy, tools to push a host of malware, ranging from run-of-the-mill password stealers to advanced threats. Bitdefender\u2019s previous investigations already revealed how attackers used LOTL tactics in a Windows and macOS malware campaign that leveraged fake \u201cClaude Code\u201d Google ads.", "modified": "2026-05-20T01:24:00.331000", "created": "2026-05-20T01:24:00.331000", "tags": [ "lummastealer", "url emmenhtal", "ip purplefox", "domain new", "url hta", "indicator type", "ip ip", "loader https", "initial hta", "clickfix", "powershell" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 89, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 28, "URL": 31, "hostname": 10 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a079c15df0e628e840b536c", "name": "IBCART", "description": "Michigan is the only country in the United States with a record number of members of the House of Representatives with an all-time record of 20,000 members, all but one of them female.", "modified": "2026-05-15T22:20:05.679000", "created": "2026-05-15T22:20:05.679000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 28, "URL": 22, "FileHash-MD5": 108, "FileHash-SHA1": 9, "FileHash-SHA256": 25, "domain": 59, "hostname": 415 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a07476c4037c7147786fb54", "name": "Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "The recent CountLoader campaign, identified by McAfee Labs, exemplifies a sophisticated method of cyberattack featuring multiple layers of obfuscation and a complex infection chain. The attackers utilize various loaders including PowerShell scripts and obfuscated JavaScript executed via mshta.exe to facilitate the infection process. Each stage of this process is designed to remain hidden, employing in-memory shellcode injection techniques that further complicate detection efforts.", "modified": "2026-05-15T16:18:52.891000", "created": "2026-05-15T16:18:52.891000", "tags": [ "compromise ioc", "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5f6631a53a06db87bd1e3", "name": "IOC Blocking", "description": "The following is a full list of people who have contributed to the website of \"factu\" and \"grupobedfs\" - a group that includes the names of two groups of individuals.", "modified": "2026-05-08T06:44:52.553000", "created": "2026-04-08T06:32:02.989000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 5, "domain": 12, "hostname": 8 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc4e875fb8ee38f78fe74", "name": "dsfdfvgdvdf", "description": "", "modified": "2026-04-01T07:10:32.762000", "created": "2026-04-01T07:10:32.762000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 53 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb684b26cba28a6f033bec", "name": "IOC - DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion", "description": "ReliaQuest has observed the new \u201cDeepLoad\u201d malware being exploited in enterprise environments. What sets this campaign apart isn\u2019t any single stand-out technique, but how the entire attack chain was engineered to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.", "modified": "2026-03-31T06:23:07.522000", "created": "2026-03-31T06:23:07.522000", "tags": [], "references": [ "https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695347a63819a0de97bfd362", "name": "IOC - \u5e7f\u544a\u4f4d\u53d8\u7a83\u5bc6\u901a\u9053\uff1aIDM\u7834\u89e3\u5de5\u5177\u4f5c\u8005\u6216\u6210\u4e3a\u7a83\u5bc6\u5e2e\u51f6", "description": "\u8fd1\u671f\uff0c\u706b\u7ed2\u5b89\u5168\u5de5\u7a0b\u5e08\u76d1\u6d4b\u53d1\u73b0\u4e00\u4e2a\u5371\u9669\u9677\u9631\uff1a\u5f88\u591a\u4eba\u60f3\u627e\u7684\u201cIDM \u7834\u89e3\u7a0b\u5e8f\u201d\uff0c\u5176\u4e0b\u8f7d\u7f51\u7ad9\u7684\u663e\u773c\u5e7f\u544a\u4f4d\u91cc\u85cf\u7740\u6076\u610f\u4e0b\u8f7d\u6309\u94ae\uff0c\u4e0b\u8f7d\u8fd0\u884c\u5c31\u4f1a\u4e2d\u62db\u7a83\u5bc6\u75c5\u6bd2\uff01\u8fd9\u7c7b\u75c5\u6bd2\u4e13\u95e8\u76ef\u7740\u4f60\u7684\u91cd\u8981\u4fe1\u606f\u2014\u2014 \u4f8b\u5982\u6d4f\u89c8\u5668\u4fdd\u5b58\u7684\u5bc6\u7801\u3001Steam \u6e38\u620f\u8d26\u53f7\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u3001Github \u8d26\u53f7\uff0c\u751a\u81f3\u4f1a\u5077\u5077\u66ff\u6362\u52a0\u5bc6\u8d27\u5e01\u6536\u6b3e\u5730\u5740\u3001\u83b7\u53d6\u90ae\u7bb1\u9a8c\u8bc1\u7801\uff0c\u628a\u4f60\u7684\u8d22\u4ea7\u548c\u9690\u79c1\u4e00\u952e\u5077\u8d70\uff0c\u6700\u7ec8\u5168\u90e8\u4e0a\u4f20\u5230\u7a83\u5bc6\u8005\u7684\u670d\u52a1\u5668\u3002", "modified": "2026-01-29T03:01:02.366000", "created": "2025-12-30T03:31:50.600000", "tags": [ "sha256" ], "references": [ "https://www.huorong.cn/document/tech/vir_report/1889" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-SHA256": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/", "https://www.huorong.cn/document/tech/vir_report/1889", "IOCs.2026.pdf", "https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows", "https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager" ], "malware_families": [], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d2c740aaef53bdd9ca167", "name": "IOC - Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.", "modified": "2026-05-20T03:37:24.680000", "created": "2026-05-20T03:37:24.680000", "tags": [ "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0d0d30d3c1f85cb653d59d", "name": "IOC - Microsoft\u2019s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows", "description": "Cybercriminals abuse legitimate, albeit legacy, tools to push a host of malware, ranging from run-of-the-mill password stealers to advanced threats. Bitdefender\u2019s previous investigations already revealed how attackers used LOTL tactics in a Windows and macOS malware campaign that leveraged fake \u201cClaude Code\u201d Google ads.", "modified": "2026-05-20T01:24:00.331000", "created": "2026-05-20T01:24:00.331000", "tags": [ "lummastealer", "url emmenhtal", "ip purplefox", "domain new", "url hta", "indicator type", "ip ip", "loader https", "initial hta", "clickfix", "powershell" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/microsofts-mshta-legacy-malware-windows" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 89, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 28, "URL": 31, "hostname": 10 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a079c15df0e628e840b536c", "name": "IBCART", "description": "Michigan is the only country in the United States with a record number of members of the House of Representatives with an all-time record of 20,000 members, all but one of them female.", "modified": "2026-05-15T22:20:05.679000", "created": "2026-05-15T22:20:05.679000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 28, "URL": 22, "FileHash-MD5": 108, "FileHash-SHA1": 9, "FileHash-SHA256": 25, "domain": 59, "hostname": 415 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a07476c4037c7147786fb54", "name": "Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "The recent CountLoader campaign, identified by McAfee Labs, exemplifies a sophisticated method of cyberattack featuring multiple layers of obfuscation and a complex infection chain. The attackers utilize various loaders including PowerShell scripts and obfuscated JavaScript executed via mshta.exe to facilitate the infection process. Each stage of this process is designed to remain hidden, employing in-memory shellcode injection techniques that further complicate detection efforts.", "modified": "2026-05-15T16:18:52.891000", "created": "2026-05-15T16:18:52.891000", "tags": [ "compromise ioc", "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5f6631a53a06db87bd1e3", "name": "IOC Blocking", "description": "The following is a full list of people who have contributed to the website of \"factu\" and \"grupobedfs\" - a group that includes the names of two groups of individuals.", "modified": "2026-05-08T06:44:52.553000", "created": "2026-04-08T06:32:02.989000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 5, "domain": 12, "hostname": 8 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ccc4e875fb8ee38f78fe74", "name": "dsfdfvgdvdf", "description": "", "modified": "2026-04-01T07:10:32.762000", "created": "2026-04-01T07:10:32.762000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 53 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb684b26cba28a6f033bec", "name": "IOC - DeepLoad Malware Pairs ClickFix Delivery with AI-Generated Evasion", "description": "ReliaQuest has observed the new \u201cDeepLoad\u201d malware being exploited in enterprise environments. What sets this campaign apart isn\u2019t any single stand-out technique, but how the entire attack chain was engineered to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.", "modified": "2026-03-31T06:23:07.522000", "created": "2026-03-31T06:23:07.522000", "tags": [], "references": [ "https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "60 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695347a63819a0de97bfd362", "name": "IOC - \u5e7f\u544a\u4f4d\u53d8\u7a83\u5bc6\u901a\u9053\uff1aIDM\u7834\u89e3\u5de5\u5177\u4f5c\u8005\u6216\u6210\u4e3a\u7a83\u5bc6\u5e2e\u51f6", "description": "\u8fd1\u671f\uff0c\u706b\u7ed2\u5b89\u5168\u5de5\u7a0b\u5e08\u76d1\u6d4b\u53d1\u73b0\u4e00\u4e2a\u5371\u9669\u9677\u9631\uff1a\u5f88\u591a\u4eba\u60f3\u627e\u7684\u201cIDM \u7834\u89e3\u7a0b\u5e8f\u201d\uff0c\u5176\u4e0b\u8f7d\u7f51\u7ad9\u7684\u663e\u773c\u5e7f\u544a\u4f4d\u91cc\u85cf\u7740\u6076\u610f\u4e0b\u8f7d\u6309\u94ae\uff0c\u4e0b\u8f7d\u8fd0\u884c\u5c31\u4f1a\u4e2d\u62db\u7a83\u5bc6\u75c5\u6bd2\uff01\u8fd9\u7c7b\u75c5\u6bd2\u4e13\u95e8\u76ef\u7740\u4f60\u7684\u91cd\u8981\u4fe1\u606f\u2014\u2014 \u4f8b\u5982\u6d4f\u89c8\u5668\u4fdd\u5b58\u7684\u5bc6\u7801\u3001Steam \u6e38\u620f\u8d26\u53f7\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u3001Github \u8d26\u53f7\uff0c\u751a\u81f3\u4f1a\u5077\u5077\u66ff\u6362\u52a0\u5bc6\u8d27\u5e01\u6536\u6b3e\u5730\u5740\u3001\u83b7\u53d6\u90ae\u7bb1\u9a8c\u8bc1\u7801\uff0c\u628a\u4f60\u7684\u8d22\u4ea7\u548c\u9690\u79c1\u4e00\u952e\u5077\u8d70\uff0c\u6700\u7ec8\u5168\u90e8\u4e0a\u4f20\u5230\u7a83\u5bc6\u8005\u7684\u670d\u52a1\u5668\u3002", "modified": "2026-01-29T03:01:02.366000", "created": "2025-12-30T03:31:50.600000", "tags": [ "sha256" ], "references": [ "https://www.huorong.cn/document/tech/vir_report/1889" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-SHA256": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hell1-kitty.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hell1-kitty.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200299.0280223 }