{ "type": "Domain", "indicator": "hiringinterview.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hiringinterview.org", "alexa": "http://www.alexa.com/siteinfo/hiringinterview.org", "indicator": "hiringinterview.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4018723053, "indicator": "hiringinterview.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386477, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67be5c918383a173b86a4b21", "name": "Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation revealed 27 unique Astrill VPN IP addresses in logs associated with the group's test records. The ongoing campaign involves fake job interviews on LinkedIn to lure victims into downloading malware. The research also uncovered connections to multiple domains likely part of Lazarus infrastructure, with a focus on employment scams targeting the crypto community. The group's tactics include sophisticated social engineering and malware deployment methods.", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-26T00:13:05.754000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6823368c8107e1b6516c62ac", "name": "Willow video interview phish", "description": "", "modified": "2025-06-01T05:07:53.563000", "created": "2025-05-13T12:09:48.260000", "tags": [ "phishing", "North Korea" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 19, "hostname": 26 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "363 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c563ef41ae66abe269ee7", "name": "Lazarus extra", "description": "", "modified": "2025-05-07T12:05:44.503000", "created": "2025-01-31T04:49:02.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 334, "hostname": 190, "URL": 526, "FileHash-SHA256": 37, "CVE": 1 }, "indicator_count": 1088, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c00d57384dd79415739c73", "name": "Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-27T06:59:35.122000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "67be5c918383a173b86a4b21", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 283, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0169f8f20fdc01ea9d97e", "name": "IOC&TTP - Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "Silent Push \u5206\u6790\u5e08\u63ed\u793a\u4e86 Lazarus\uff08\u62c9\u6492\u8def\uff09\u9ad8\u7ea7\u6301\u7eed\u6027\u5a01\u80c1\uff08APT\uff09\u7ec4\u7ec7\u5728 Bybit \u53f2\u4e0a\u6700\u5927 14 \u4ebf\u7f8e\u5143\u52a0\u5bc6\u8d27\u5e01\u76d7\u7a83\u6848 \u4e2d\u7684\u5173\u952e\u8bc1\u636e\u3002\u8c03\u67e5\u53d1\u73b0\uff0cLazarus \u5728\u653b\u51fb\u524d\u51e0\u4e2a\u5c0f\u65f6\u6ce8\u518c\u4e86 bybit-assessment.com \u57df\u540d\uff0c\u5e76\u4e0e\u5148\u524d Lazarus \u76f8\u5173\u7684\u7535\u5b50\u90ae\u4ef6 trevorgreer9312@gmail.com \u5173\u8054\u3002\u6b64\u5916\uff0c\u5206\u6790\u8fd8\u53d1\u73b0\u4e86 27 \u4e2a\u72ec\u7279\u7684 Astrill VPN IP \u5730\u5740\uff0c\u8868\u660e\u8be5\u7ec4\u7ec7\u9ad8\u5ea6\u4f9d\u8d56\u8be5 VPN \u8fdb\u884c\u6d3b\u52a8\u3002\n\n\u62a5\u544a\u8fdb\u4e00\u6b65\u6307\u51fa\uff0c\u5b9e\u65bd\u653b\u51fb\u7684\u5317\u671d\u9c9c\u7f51\u7edc\u5a01\u80c1\u7ec4\u7ec7\u53ef\u5206\u4e3a\u4e24\u4e2a\u5b50\u56e2\u4f53\uff1aTraderTraitor\uff08Jade Sleet, Slow Pisces\uff09 \u8d1f\u8d23 Bybit \u76d7\u7a83\u6848\uff0c\u800c Contagious Interview\uff08Famous Chollima\uff09 \u4e3b\u8981\u8fdb\u884c\u9488\u5bf9\u52a0\u5bc6\u884c\u4e1a\u7684\u62db\u8058\u8bc8\u9a97\u3002\u8fd9\u4e9b\u653b\u51fb\u8005\u5229\u7528 LinkedIn \u4f2a\u9020\u6c42\u804c\u9762\u8bd5\uff0c\u5f15\u8bf1\u53d7\u5bb3\u8005\u8fd0\u884c MacOS \u6076\u610f\u8f6f\u4ef6\uff0c\u4ece\u800c\u7a83\u53d6\u51ed\u636e\u5e76\u5165\u4fb5\u4f01\u4e1a\u8d44\u4ea7\u3002\n\nSilent Push \u6210\u529f\u6e17\u900f\u4e86 Lazarus \u76f8\u5173\u7684\u57fa\u7840\u8bbe\u65bd\uff0c\u53d1\u73b0\u4e86 \u65e5\u5fd7\u6587\u4ef6\u3001\u6d4b\u8bd5\u8bb0\u5f55\u548c\u9493\u9c7c\u7b56\u7565\uff0c\u63ed\u793a\u4e86\u8be5\u7ec4\u7ec7\u5728\u653b\u51fb\u524d\u7684\u5468\u5bc6\u51c6\u5907\u548c\u4f18\u5316\u7684\u4f5c\u6848\u624b\u6cd5\u3002\u6b64\u5916\uff0c\u7814\u7a76\u8fd8\u63ed\u793a\u4e86\u4e00\u6279\u4e0e Lazarus \u76f8\u5173\u7684 \u865a\u5047\u57df\u540d\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\uff0c\u8fdb\u4e00\u6b65\u4f50\u8bc1\u4e86\u5317\u671d\u9c9c\u56fd\u5bb6\u7ea7\u9ed1\u5ba2\u7ec4\u7ec7\u5728\u91d1\u878d\u7f51\u7edc\u72af\u7f6a\u4e2d\u7684\u9ad8\u5ea6\u590d\u6742\u6027\u3002\n\n\u672c\u62a5\u544a\u5f3a\u8c03\u4e86\u52a0\u5bc6\u8d27\u5e01\u884c\u4e1a\u9762\u4e34\u7684 \u6301\u7eed\u7f51\u7edc\u5b89\u5168\u5a01\u80c1\uff0c\u5e76\u8b66\u793a\u5404\u65b9\u5e94\u63d0\u9ad8\u8b66\u60d5\uff0c\u91c7\u53d6\u6709\u6548\u9632\u5fa1\u63aa\u65bd\uff0c\u4ee5\u9632\u8303\u6b64\u7c7b \u56fd\u5bb6\u7ea7\u9ed1\u5ba2\u653b\u51fb\u3002", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-27T07:39:11.245000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "67be5c918383a173b86a4b21", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678cf84111bda3bf347e99ae", "name": "Lazarus APT Targets Job Seekers Through Social Media", "description": "Lazarus APT Targets Job Seekers with Campaign Employing ClickFix Technique.", "modified": "2025-01-19T13:04:01.576000", "created": "2025-01-19T13:04:01.576000", "tags": [ "domain", "cyber", "threat", "january", "time", "crypto cyber", "defence", "classification", "confidential", "gemini" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 115 }, "indicator_count": 149, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "496 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6771e4a29a311b48af1aca15", "name": "Twitter Feed - Phish_Destroy - 29-12-2024", "description": "", "modified": "2024-12-30T00:09:06.603000", "created": "2024-12-30T00:09:06.603000", "tags": [ "phishing", "malware", "scam" ], "references": [ "https://x.com/Phish_Destroy/status/1873200074584670330", "https://x.com/Phish_Destroy/status/1873200482858221982", "https://x.com/Phish_Destroy/status/1873201286432342107", "https://x.com/Phish_Destroy/status/1873201718198190127", "https://x.com/Phish_Destroy/status/1873201789237117314", "https://x.com/Phish_Destroy/status/1873202425584337331", "https://x.com/Phish_Destroy/status/1873203672932597773", "https://x.com/Phish_Destroy/status/1873203876666740816", "https://x.com/Phish_Destroy/status/1873204017033253351", "https://x.com/Phish_Destroy/status/1873204443682095440", "https://x.com/Phish_Destroy/status/1873205146328678621", "https://x.com/Phish_Destroy/status/1873205233964535991", "https://x.com/Phish_Destroy/status/1873206282683072913", "https://x.com/Phish_Destroy/status/1873206436949574067", "https://x.com/Phish_Destroy/status/1873207567662629251", "https://x.com/Phish_Destroy/status/1873209417401024524", "https://x.com/Phish_Destroy/status/1873209836298748206", "https://x.com/Phish_Destroy/status/1873209928355332442", "https://x.com/Phish_Destroy/status/1873210549066187265", "https://x.com/Phish_Destroy/status/1873211262873813508", "https://x.com/Phish_Destroy/status/1873211431321239689", "https://x.com/Phish_Destroy/status/1873211521641398614", "https://x.com/Phish_Destroy/status/1873211679431115231", "https://x.com/Phish_Destroy/status/1873213454280011897", "https://x.com/Phish_Destroy/status/1873215494909771981", "https://x.com/Phish_Destroy/status/1873217123226648880", "https://x.com/Phish_Destroy/status/1873217848912560535", "https://x.com/Phish_Destroy/status/1873219145984307312", "https://x.com/Phish_Destroy/status/1873219201261027698", "https://x.com/Phish_Destroy/status/1873219539850469412", "https://x.com/Phish_Destroy/status/1873220443546763709", "https://x.com/Phish_Destroy/status/1873220834418147694", "https://x.com/Phish_Destroy/status/1873220967138508885", "https://x.com/Phish_Destroy/status/1873221201029632256", "https://x.com/Phish_Destroy/status/1873222100984709355", "https://x.com/Phish_Destroy/status/1873227854294728741", "https://x.com/Phish_Destroy/status/1873231940532486446", "https://x.com/Phish_Destroy/status/1873232031808929858", "https://x.com/Phish_Destroy/status/1873236929363493287", "https://x.com/Phish_Destroy/status/1873237560618828045", "https://x.com/Phish_Destroy/status/1873237902857257003", "https://x.com/Phish_Destroy/status/1873239452921020923", "https://x.com/Phish_Destroy/status/1873239879083290860", "https://x.com/Phish_Destroy/status/1873243514718601292", "https://x.com/Phish_Destroy/status/1873245002966679668", "https://x.com/Phish_Destroy/status/1873246624925007920", "https://x.com/Phish_Destroy/status/1873247415354179880", "https://x.com/Phish_Destroy/status/1873247717025300894", "https://x.com/Phish_Destroy/status/1873253513867952587", "https://x.com/Phish_Destroy/status/1873253964973785159", "https://x.com/Phish_Destroy/status/1873254392364974290", "https://x.com/Phish_Destroy/status/1873254636884578760", "https://x.com/Phish_Destroy/status/1873255980643041557", "https://x.com/Phish_Destroy/status/1873256365675954261", "https://x.com/Phish_Destroy/status/1873256522886857073", "https://x.com/Phish_Destroy/status/1873256824226627907", "https://x.com/Phish_Destroy/status/1873257203106517184", "https://x.com/Phish_Destroy/status/1873257274246083045", "https://x.com/Phish_Destroy/status/1873260332304744699", "https://x.com/Phish_Destroy/status/1873260470020534695", "https://x.com/Phish_Destroy/status/1873261146687586720", "https://x.com/Phish_Destroy/status/1873261471393873939", "https://x.com/Phish_Destroy/status/1873261558211719306", "https://x.com/Phish_Destroy/status/1873262182080897222", "https://x.com/Phish_Destroy/status/1873262640971362574", "https://x.com/Phish_Destroy/status/1873262767953854464", "https://x.com/Phish_Destroy/status/1873262844076278047", "https://x.com/Phish_Destroy/status/1873264488285401347", "https://x.com/Phish_Destroy/status/1873264749020103037", "https://x.com/Phish_Destroy/status/1873264876392726586", "https://x.com/Phish_Destroy/status/1873265329134289107", "https://x.com/Phish_Destroy/status/1873265542871826896", "https://x.com/Phish_Destroy/status/1873266341119180946", "https://x.com/Phish_Destroy/status/1873267228830990477", "https://x.com/Phish_Destroy/status/1873269227161039056", "https://x.com/Phish_Destroy/status/1873269605189468369", "https://x.com/Phish_Destroy/status/1873269705609495008", "https://x.com/Phish_Destroy/status/1873282402539438452", "https://x.com/Phish_Destroy/status/1873298963774017999", "https://x.com/Phish_Destroy/status/1873300131103309986", "https://x.com/Phish_Destroy/status/1873310039596789836", "https://x.com/Phish_Destroy/status/1873357191094427802", "https://x.com/Phish_Destroy/status/1873361259166667057", "https://x.com/Phish_Destroy/status/1873362527192801479", "https://x.com/Phish_Destroy/status/1873364703608799613", "https://x.com/Phish_Destroy/status/1873393731141013978", "https://x.com/Phish_Destroy/status/1873398973832343979", "https://x.com/Phish_Destroy/status/1873399555561238899" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "domain": 47, "hostname": 39 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "517 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/Phish_Destroy/status/1873217848912560535", "https://x.com/Phish_Destroy/status/1873210549066187265", "https://x.com/Phish_Destroy/status/1873209417401024524", "https://x.com/Phish_Destroy/status/1873264488285401347", "https://x.com/Phish_Destroy/status/1873243514718601292", "https://x.com/Phish_Destroy/status/1873209836298748206", "https://x.com/Phish_Destroy/status/1873200074584670330", "https://x.com/Phish_Destroy/status/1873253964973785159", "https://x.com/Phish_Destroy/status/1873237902857257003", "https://x.com/Phish_Destroy/status/1873204017033253351", "https://x.com/Phish_Destroy/status/1873260332304744699", "https://x.com/Phish_Destroy/status/1873260470020534695", "https://x.com/Phish_Destroy/status/1873264876392726586", "https://x.com/Phish_Destroy/status/1873206282683072913", "https://x.com/Phish_Destroy/status/1873231940532486446", "https://x.com/Phish_Destroy/status/1873364703608799613", "https://x.com/Phish_Destroy/status/1873261146687586720", "https://x.com/Phish_Destroy/status/1873204443682095440", "https://x.com/Phish_Destroy/status/1873202425584337331", "https://x.com/Phish_Destroy/status/1873267228830990477", "https://x.com/Phish_Destroy/status/1873393731141013978", "https://x.com/Phish_Destroy/status/1873357191094427802", "https://x.com/Phish_Destroy/status/1873362527192801479", "https://x.com/Phish_Destroy/status/1873219201261027698", "https://x.com/Phish_Destroy/status/1873247717025300894", "https://x.com/Phish_Destroy/status/1873245002966679668", "https://x.com/Phish_Destroy/status/1873205233964535991", "https://x.com/Phish_Destroy/status/1873201718198190127", "https://x.com/Phish_Destroy/status/1873262182080897222", "https://x.com/Phish_Destroy/status/1873203876666740816", "https://x.com/Phish_Destroy/status/1873213454280011897", "https://x.com/Phish_Destroy/status/1873257203106517184", "https://x.com/Phish_Destroy/status/1873239452921020923", "https://x.com/Phish_Destroy/status/1873254392364974290", "https://x.com/Phish_Destroy/status/1873265329134289107", "https://x.com/Phish_Destroy/status/1873215494909771981", "https://x.com/Phish_Destroy/status/1873282402539438452", "https://x.com/Phish_Destroy/status/1873298963774017999", "https://x.com/Phish_Destroy/status/1873200482858221982", "https://x.com/Phish_Destroy/status/1873262640971362574", "https://x.com/Phish_Destroy/status/1873201286432342107", "https://x.com/Phish_Destroy/status/1873310039596789836", "https://x.com/Phish_Destroy/status/1873255980643041557", "https://x.com/Phish_Destroy/status/1873262844076278047", "https://x.com/Phish_Destroy/status/1873264749020103037", "https://x.com/Phish_Destroy/status/1873265542871826896", "https://x.com/Phish_Destroy/status/1873398973832343979", "https://x.com/Phish_Destroy/status/1873253513867952587", "https://x.com/Phish_Destroy/status/1873239879083290860", "https://x.com/Phish_Destroy/status/1873361259166667057", "https://x.com/Phish_Destroy/status/1873222100984709355", "https://x.com/Phish_Destroy/status/1873219145984307312", "https://x.com/Phish_Destroy/status/1873246624925007920", "https://x.com/Phish_Destroy/status/1873261558211719306", "https://x.com/Phish_Destroy/status/1873211521641398614", "https://x.com/Phish_Destroy/status/1873206436949574067", "https://x.com/Phish_Destroy/status/1873261471393873939", "https://x.com/Phish_Destroy/status/1873211679431115231", "https://x.com/Phish_Destroy/status/1873221201029632256", "https://x.com/Phish_Destroy/status/1873269605189468369", "https://x.com/Phish_Destroy/status/1873236929363493287", "https://x.com/Phish_Destroy/status/1873256522886857073", "https://x.com/Phish_Destroy/status/1873207567662629251", "https://x.com/Phish_Destroy/status/1873211431321239689", "https://x.com/Phish_Destroy/status/1873227854294728741", "https://x.com/Phish_Destroy/status/1873232031808929858", "https://x.com/Phish_Destroy/status/1873209928355332442", "https://x.com/Phish_Destroy/status/1873219539850469412", "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops", "https://x.com/Phish_Destroy/status/1873262767953854464", "https://x.com/Phish_Destroy/status/1873269227161039056", "https://x.com/Phish_Destroy/status/1873257274246083045", "https://x.com/Phish_Destroy/status/1873266341119180946", "https://x.com/Phish_Destroy/status/1873217123226648880", "https://x.com/Phish_Destroy/status/1873269705609495008", "https://x.com/Phish_Destroy/status/1873399555561238899", "https://x.com/Phish_Destroy/status/1873237560618828045", "https://x.com/Phish_Destroy/status/1873256365675954261", "https://www.silentpush.com/blog/lazarus-bybit/", "https://x.com/Phish_Destroy/status/1873211262873813508", "https://x.com/Phish_Destroy/status/1873201789237117314", "https://x.com/Phish_Destroy/status/1873220834418147694", "https://x.com/Phish_Destroy/status/1873254636884578760", "https://x.com/Phish_Destroy/status/1873205146328678621", "https://x.com/Phish_Destroy/status/1873247415354179880", "https://x.com/Phish_Destroy/status/1873220443546763709", "https://x.com/Phish_Destroy/status/1873203672932597773", "https://x.com/Phish_Destroy/status/1873220967138508885", "https://x.com/Phish_Destroy/status/1873256824226627907", "https://x.com/Phish_Destroy/status/1873300131103309986" ], "related": { "alienvault": { "adversary": [ "Contagious Interview", "Lazarus Group" ], "malware_families": [], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "CryptoGen Cyber Threat Intelligence Advisory", "Lazarus Group" ], "malware_families": [], "industries": [ "Finance", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68b9d266a57b122998115dc6", "name": "Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms", "description": "North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverage multiple intelligence sources including Validin, VirusTotal, and Maltrail. Despite being aware of their infrastructure's detectability, they make only limited changes to reduce detection risk, focusing instead on rapidly deploying new infrastructure to sustain operations. The actors' effectiveness is evident in their engagement of over 230 victims between January and March 2025, primarily targeting individuals in the cryptocurrency industry. Their activities involve sophisticated social engineering tactics, including the ClickFix technique, to trick targets into executing malware.", "modified": "2025-10-04T17:00:59.344000", "created": "2025-09-04T17:54:46.837000", "tags": [ "cyber espionage", "social engineering", "north korea", "job seeker targeting", "clickfix", "lazarus", "infrastructure monitoring", "cryptocurrency", "contagiousdrop" ], "references": [ "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops" ], "public": 1, "adversary": "Contagious Interview", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 44164, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 116, "FileHash-SHA1": 99, "FileHash-SHA256": 246, "CVE": 1, "domain": 2140, "hostname": 1231 }, "indicator_count": 3833, "is_author": false, "is_subscribing": null, "subscriber_count": 386477, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67be5c918383a173b86a4b21", "name": "Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation revealed 27 unique Astrill VPN IP addresses in logs associated with the group's test records. The ongoing campaign involves fake job interviews on LinkedIn to lure victims into downloading malware. The research also uncovered connections to multiple domains likely part of Lazarus infrastructure, with a focus on employment scams targeting the crypto community. The group's tactics include sophisticated social engineering and malware deployment methods.", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-26T00:13:05.754000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6823368c8107e1b6516c62ac", "name": "Willow video interview phish", "description": "", "modified": "2025-06-01T05:07:53.563000", "created": "2025-05-13T12:09:48.260000", "tags": [ "phishing", "North Korea" ], "references": [], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 19, "hostname": 26 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "363 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c563ef41ae66abe269ee7", "name": "Lazarus extra", "description": "", "modified": "2025-05-07T12:05:44.503000", "created": "2025-01-31T04:49:02.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 334, "hostname": 190, "URL": 526, "FileHash-SHA256": 37, "CVE": 1 }, "indicator_count": 1088, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c00d57384dd79415739c73", "name": "Silent Push Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-27T06:59:35.122000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "67be5c918383a173b86a4b21", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 283, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0169f8f20fdc01ea9d97e", "name": "IOC&TTP - Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks", "description": "Silent Push \u5206\u6790\u5e08\u63ed\u793a\u4e86 Lazarus\uff08\u62c9\u6492\u8def\uff09\u9ad8\u7ea7\u6301\u7eed\u6027\u5a01\u80c1\uff08APT\uff09\u7ec4\u7ec7\u5728 Bybit \u53f2\u4e0a\u6700\u5927 14 \u4ebf\u7f8e\u5143\u52a0\u5bc6\u8d27\u5e01\u76d7\u7a83\u6848 \u4e2d\u7684\u5173\u952e\u8bc1\u636e\u3002\u8c03\u67e5\u53d1\u73b0\uff0cLazarus \u5728\u653b\u51fb\u524d\u51e0\u4e2a\u5c0f\u65f6\u6ce8\u518c\u4e86 bybit-assessment.com \u57df\u540d\uff0c\u5e76\u4e0e\u5148\u524d Lazarus \u76f8\u5173\u7684\u7535\u5b50\u90ae\u4ef6 trevorgreer9312@gmail.com \u5173\u8054\u3002\u6b64\u5916\uff0c\u5206\u6790\u8fd8\u53d1\u73b0\u4e86 27 \u4e2a\u72ec\u7279\u7684 Astrill VPN IP \u5730\u5740\uff0c\u8868\u660e\u8be5\u7ec4\u7ec7\u9ad8\u5ea6\u4f9d\u8d56\u8be5 VPN \u8fdb\u884c\u6d3b\u52a8\u3002\n\n\u62a5\u544a\u8fdb\u4e00\u6b65\u6307\u51fa\uff0c\u5b9e\u65bd\u653b\u51fb\u7684\u5317\u671d\u9c9c\u7f51\u7edc\u5a01\u80c1\u7ec4\u7ec7\u53ef\u5206\u4e3a\u4e24\u4e2a\u5b50\u56e2\u4f53\uff1aTraderTraitor\uff08Jade Sleet, Slow Pisces\uff09 \u8d1f\u8d23 Bybit \u76d7\u7a83\u6848\uff0c\u800c Contagious Interview\uff08Famous Chollima\uff09 \u4e3b\u8981\u8fdb\u884c\u9488\u5bf9\u52a0\u5bc6\u884c\u4e1a\u7684\u62db\u8058\u8bc8\u9a97\u3002\u8fd9\u4e9b\u653b\u51fb\u8005\u5229\u7528 LinkedIn \u4f2a\u9020\u6c42\u804c\u9762\u8bd5\uff0c\u5f15\u8bf1\u53d7\u5bb3\u8005\u8fd0\u884c MacOS \u6076\u610f\u8f6f\u4ef6\uff0c\u4ece\u800c\u7a83\u53d6\u51ed\u636e\u5e76\u5165\u4fb5\u4f01\u4e1a\u8d44\u4ea7\u3002\n\nSilent Push \u6210\u529f\u6e17\u900f\u4e86 Lazarus \u76f8\u5173\u7684\u57fa\u7840\u8bbe\u65bd\uff0c\u53d1\u73b0\u4e86 \u65e5\u5fd7\u6587\u4ef6\u3001\u6d4b\u8bd5\u8bb0\u5f55\u548c\u9493\u9c7c\u7b56\u7565\uff0c\u63ed\u793a\u4e86\u8be5\u7ec4\u7ec7\u5728\u653b\u51fb\u524d\u7684\u5468\u5bc6\u51c6\u5907\u548c\u4f18\u5316\u7684\u4f5c\u6848\u624b\u6cd5\u3002\u6b64\u5916\uff0c\u7814\u7a76\u8fd8\u63ed\u793a\u4e86\u4e00\u6279\u4e0e Lazarus \u76f8\u5173\u7684 \u865a\u5047\u57df\u540d\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\uff0c\u8fdb\u4e00\u6b65\u4f50\u8bc1\u4e86\u5317\u671d\u9c9c\u56fd\u5bb6\u7ea7\u9ed1\u5ba2\u7ec4\u7ec7\u5728\u91d1\u878d\u7f51\u7edc\u72af\u7f6a\u4e2d\u7684\u9ad8\u5ea6\u590d\u6742\u6027\u3002\n\n\u672c\u62a5\u544a\u5f3a\u8c03\u4e86\u52a0\u5bc6\u8d27\u5e01\u884c\u4e1a\u9762\u4e34\u7684 \u6301\u7eed\u7f51\u7edc\u5b89\u5168\u5a01\u80c1\uff0c\u5e76\u8b66\u793a\u5404\u65b9\u5e94\u63d0\u9ad8\u8b66\u60d5\uff0c\u91c7\u53d6\u6709\u6548\u9632\u5fa1\u63aa\u65bd\uff0c\u4ee5\u9632\u8303\u6b64\u7c7b \u56fd\u5bb6\u7ea7\u9ed1\u5ba2\u653b\u51fb\u3002", "modified": "2025-03-28T00:00:41.655000", "created": "2025-02-27T07:39:11.245000", "tags": [ "north korea", "cryptocurrency", "phishing", "social engineering", "bybit", "apt" ], "references": [ "https://www.silentpush.com/blog/lazarus-bybit/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "67be5c918383a173b86a4b21", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678cf84111bda3bf347e99ae", "name": "Lazarus APT Targets Job Seekers Through Social Media", "description": "Lazarus APT Targets Job Seekers with Campaign Employing ClickFix Technique.", "modified": "2025-01-19T13:04:01.576000", "created": "2025-01-19T13:04:01.576000", "tags": [ "domain", "cyber", "threat", "january", "time", "crypto cyber", "defence", "classification", "confidential", "gemini" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 115 }, "indicator_count": 149, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "496 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6771e4a29a311b48af1aca15", "name": "Twitter Feed - Phish_Destroy - 29-12-2024", "description": "", "modified": "2024-12-30T00:09:06.603000", "created": "2024-12-30T00:09:06.603000", "tags": [ "phishing", "malware", "scam" ], "references": [ "https://x.com/Phish_Destroy/status/1873200074584670330", "https://x.com/Phish_Destroy/status/1873200482858221982", "https://x.com/Phish_Destroy/status/1873201286432342107", "https://x.com/Phish_Destroy/status/1873201718198190127", "https://x.com/Phish_Destroy/status/1873201789237117314", "https://x.com/Phish_Destroy/status/1873202425584337331", "https://x.com/Phish_Destroy/status/1873203672932597773", "https://x.com/Phish_Destroy/status/1873203876666740816", "https://x.com/Phish_Destroy/status/1873204017033253351", "https://x.com/Phish_Destroy/status/1873204443682095440", "https://x.com/Phish_Destroy/status/1873205146328678621", "https://x.com/Phish_Destroy/status/1873205233964535991", "https://x.com/Phish_Destroy/status/1873206282683072913", "https://x.com/Phish_Destroy/status/1873206436949574067", "https://x.com/Phish_Destroy/status/1873207567662629251", "https://x.com/Phish_Destroy/status/1873209417401024524", "https://x.com/Phish_Destroy/status/1873209836298748206", "https://x.com/Phish_Destroy/status/1873209928355332442", "https://x.com/Phish_Destroy/status/1873210549066187265", "https://x.com/Phish_Destroy/status/1873211262873813508", "https://x.com/Phish_Destroy/status/1873211431321239689", "https://x.com/Phish_Destroy/status/1873211521641398614", "https://x.com/Phish_Destroy/status/1873211679431115231", "https://x.com/Phish_Destroy/status/1873213454280011897", "https://x.com/Phish_Destroy/status/1873215494909771981", "https://x.com/Phish_Destroy/status/1873217123226648880", "https://x.com/Phish_Destroy/status/1873217848912560535", "https://x.com/Phish_Destroy/status/1873219145984307312", "https://x.com/Phish_Destroy/status/1873219201261027698", "https://x.com/Phish_Destroy/status/1873219539850469412", "https://x.com/Phish_Destroy/status/1873220443546763709", "https://x.com/Phish_Destroy/status/1873220834418147694", "https://x.com/Phish_Destroy/status/1873220967138508885", "https://x.com/Phish_Destroy/status/1873221201029632256", "https://x.com/Phish_Destroy/status/1873222100984709355", "https://x.com/Phish_Destroy/status/1873227854294728741", "https://x.com/Phish_Destroy/status/1873231940532486446", "https://x.com/Phish_Destroy/status/1873232031808929858", "https://x.com/Phish_Destroy/status/1873236929363493287", "https://x.com/Phish_Destroy/status/1873237560618828045", "https://x.com/Phish_Destroy/status/1873237902857257003", "https://x.com/Phish_Destroy/status/1873239452921020923", "https://x.com/Phish_Destroy/status/1873239879083290860", "https://x.com/Phish_Destroy/status/1873243514718601292", "https://x.com/Phish_Destroy/status/1873245002966679668", "https://x.com/Phish_Destroy/status/1873246624925007920", "https://x.com/Phish_Destroy/status/1873247415354179880", "https://x.com/Phish_Destroy/status/1873247717025300894", "https://x.com/Phish_Destroy/status/1873253513867952587", "https://x.com/Phish_Destroy/status/1873253964973785159", "https://x.com/Phish_Destroy/status/1873254392364974290", "https://x.com/Phish_Destroy/status/1873254636884578760", "https://x.com/Phish_Destroy/status/1873255980643041557", "https://x.com/Phish_Destroy/status/1873256365675954261", "https://x.com/Phish_Destroy/status/1873256522886857073", "https://x.com/Phish_Destroy/status/1873256824226627907", "https://x.com/Phish_Destroy/status/1873257203106517184", "https://x.com/Phish_Destroy/status/1873257274246083045", "https://x.com/Phish_Destroy/status/1873260332304744699", "https://x.com/Phish_Destroy/status/1873260470020534695", "https://x.com/Phish_Destroy/status/1873261146687586720", "https://x.com/Phish_Destroy/status/1873261471393873939", "https://x.com/Phish_Destroy/status/1873261558211719306", "https://x.com/Phish_Destroy/status/1873262182080897222", "https://x.com/Phish_Destroy/status/1873262640971362574", "https://x.com/Phish_Destroy/status/1873262767953854464", "https://x.com/Phish_Destroy/status/1873262844076278047", "https://x.com/Phish_Destroy/status/1873264488285401347", "https://x.com/Phish_Destroy/status/1873264749020103037", "https://x.com/Phish_Destroy/status/1873264876392726586", "https://x.com/Phish_Destroy/status/1873265329134289107", "https://x.com/Phish_Destroy/status/1873265542871826896", "https://x.com/Phish_Destroy/status/1873266341119180946", "https://x.com/Phish_Destroy/status/1873267228830990477", "https://x.com/Phish_Destroy/status/1873269227161039056", "https://x.com/Phish_Destroy/status/1873269605189468369", "https://x.com/Phish_Destroy/status/1873269705609495008", "https://x.com/Phish_Destroy/status/1873282402539438452", "https://x.com/Phish_Destroy/status/1873298963774017999", "https://x.com/Phish_Destroy/status/1873300131103309986", "https://x.com/Phish_Destroy/status/1873310039596789836", "https://x.com/Phish_Destroy/status/1873357191094427802", "https://x.com/Phish_Destroy/status/1873361259166667057", "https://x.com/Phish_Destroy/status/1873362527192801479", "https://x.com/Phish_Destroy/status/1873364703608799613", "https://x.com/Phish_Destroy/status/1873393731141013978", "https://x.com/Phish_Destroy/status/1873398973832343979", "https://x.com/Phish_Destroy/status/1873399555561238899" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 88, "domain": 47, "hostname": 39 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "517 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hiringinterview.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hiringinterview.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200857.869374 }