{ "type": "Domain", "indicator": "hip-hosting.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hip-hosting.com", "alexa": "http://www.alexa.com/siteinfo/hip-hosting.com", "indicator": "hip-hosting.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4076204174, "indicator": "hip-hosting.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386978, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685565d18dcfa008791de420", "name": "GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group has identified a new threat actor that overlaps with a financially motivated group commonly referred to as FIN7, which is believed to be linked to state-sponsored cybercriminal groups.", "modified": "2025-07-20T13:04:56.925000", "created": "2025-06-20T13:44:49.483000", "tags": [ "fin7", "insikt group", "grayalpha", "netsupport rat", "powernet", "maskbat", "fakebat", "april", "raas", "tag124", "combi", "carbanak", "powertrash", "diceloader", "aukill", "revil", "maze", "darkside", "powershell", "future", "insikt", "cases prevent", "anubis", "netsupport" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "Anubis", "display_name": "Anubis", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Retail", "Hospitality", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "domain": 35 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "322 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg", "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2", "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "related": { "alienvault": { "adversary": [ "GrayAlpha" ], "malware_families": [ "Maskbat", "Netsupport rat", "Powernet" ], "industries": [ "Retail", "Finance", "Hospitality" ] }, "other": { "adversary": [ "GrayAlpha", "Insikt" ], "malware_families": [ "Maskbat", "Fin7", "Shadowpad", "Powernet", "Insikt", "Anubis", "Cases prevent", "Remote access", "Javascript", "Netsupport rat", "Skuld", "Netsupport" ], "industries": [ "Retail", "Finance", "Hospitality", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "684c90509889eb77ff43d758", "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:55:44.654000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 386978, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "685565d18dcfa008791de420", "name": "GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "Insikt Group has identified a new threat actor that overlaps with a financially motivated group commonly referred to as FIN7, which is believed to be linked to state-sponsored cybercriminal groups.", "modified": "2025-07-20T13:04:56.925000", "created": "2025-06-20T13:44:49.483000", "tags": [ "fin7", "insikt group", "grayalpha", "netsupport rat", "powernet", "maskbat", "fakebat", "april", "raas", "tag124", "combi", "carbanak", "powertrash", "diceloader", "aukill", "revil", "maze", "darkside", "powershell", "future", "insikt", "cases prevent", "anubis", "netsupport" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "Anubis", "display_name": "Anubis", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "Insikt", "display_name": "Insikt", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Retail", "Hospitality", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "domain": 35 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684fc08ec1f449ae3711bff0", "name": "From Ideology to Financial Gain: Exploring the Convergence from Hacktivism to Cybercrime.", "description": "Recent trends in cyber threats reveal a significant shift as hacktivist groups such as FunkSec, KillSec, and GhostSec increasingly engage in financially motivated cybercrime, blending traditional hacktivism with ransomware operations. FunkSec has transitioned from political activism to a ransomware-as-a-service (RaaS) model, claiming at least 172 victims and leveraging generative AI for rapid victim acquisition. KillSec, aligning with the Russian cyber realm, has adopted customizable ransomware solutions and implemented double extortion tactics to enhance its monetization strategies. GhostSec, initially rooted in hacktivism, has forged partnerships with cybercriminals, launching its own RaaS offering, GhostLocker, while also returning to political motivations after securing funding through these illicit activities.", "modified": "2025-07-16T06:01:43.026000", "created": "2025-06-16T06:58:22.198000", "tags": [ "strong", "title", "link", "summary", "threats", "grayalpha", "rst cloud", "powershell", "discord", "katz stealer", "funksec", "killsec", "february", "ghostlocker", "werewolf", "hammer", "shadowpad", "scatterbrain", "asyncrat", "loader", "malware", "muddywater", "skuld", "remote access", "javascript" ], "references": [ "https://medium.com/@rst_cloud/rst-ti-report-digest-16-jun-2025-fccf30fd48a2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Skuld", "display_name": "Skuld", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "FileHash-MD5": 249, "FileHash-SHA1": 112, "FileHash-SHA256": 244, "CVE": 1, "domain": 232, "email": 2, "hostname": 67 }, "indicator_count": 943, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684ef8a0dd98ef690862f85a", "name": "GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT.", "description": "Insikt Group has uncovered new infrastructure and malware associated with GrayAlpha, a cyber threat actor with ties to the financially motivated group FIN7. Specifically, three primary infection vectors have been identified: fake browser updates, malicious 7-Zip download pages, and a traffic distribution system (TDS) known as TAG-124, which had not been linked to GrayAlpha previously. The threat actor employs a new PowerShell loader called PowerNet and an obfuscated variant of FakeBat dubbed MaskBat, both of which facilitate the delivery of the NetSupport Remote Access Trojan (RAT)..", "modified": "2025-07-15T16:04:55.152000", "created": "2025-06-15T16:45:20.658000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0613.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 8, "domain": 143, "email": 4, "hostname": 1 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "322 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6853d0f0f31f3f1ceda90e69", "name": "IOC - New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-19T08:57:20.036000", "tags": [ "fake updates", "powernet", "7-zip", "infrastructure", "fin7", "tag-124", "netsupport rat", "maskbat" ], "references": [ "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat", "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg" ], "public": 1, "adversary": "GrayAlpha", "targeted_countries": [], "malware_families": [ { "id": "PowerNet", "display_name": "PowerNet", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "MaskBat", "display_name": "MaskBat", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Retail", "Hospitality", "Finance" ], "TLP": "white", "cloned_from": "684c90509889eb77ff43d758", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 158, "URL": 6, "domain": 145, "hostname": 1 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hip-hosting.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hip-hosting.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780447050.5991204 }