{ "type": "Domain", "indicator": "hkcapitals.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hkcapitals.com", "alexa": "http://www.alexa.com/siteinfo/hkcapitals.com", "indicator": "hkcapitals.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4081249970, "indicator": "hkcapitals.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6881ee43ee57a9877a635012", "name": "Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload", "description": "A new iteration of a broad cryptomining campaign, dubbed Soco404, has been identified. The attackers exploit vulnerabilities in cloud environments, particularly targeting PostgreSQL misconfigurations, to deploy cryptominers on both Linux and Windows systems. They use process masquerading, achieve persistence via cron jobs and shell initialization files, and rely on compromised legitimate servers for malware hosting. The malware communicates via local sockets and embeds payloads in fake 404 HTML pages on Google Sites. The campaign is part of a larger crypto-scam infrastructure, demonstrating a versatile and opportunistic operation. The attackers use multiple ingress tools and target various entry points, showing a flexible approach to maximize reach and persistence across diverse targets.", "modified": "2025-07-24T09:11:15.290000", "created": "2025-07-24T08:26:43.473000", "tags": [ "process-masquerading", "multiplatform", "fake-404-pages", "cryptomining", "cve-2025-24813", "compromised-servers", "postgresql", "persistence", "crypto-scam", "soco404" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Korea, Republic of" ], "malware_families": [ { "id": "Soco404", "display_name": "Soco404", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "URL": 2, "domain": 6, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68632cd7f6f2c2576c839a75", "name": "Twitter Feed - CarlyGriggs13 - 30-06-2025", "description": "", "modified": "2025-07-31T00:00:48.083000", "created": "2025-07-01T00:33:27.246000", "tags": [ "phishing", "ransomware" ], "references": [ "https://x.com/CarlyGriggs13/status/1939477801020928296", "https://x.com/CarlyGriggs13/status/1939477860164800960", "https://x.com/CarlyGriggs13/status/1939478168760377619", "https://x.com/CarlyGriggs13/status/1939478219742142471", "https://x.com/CarlyGriggs13/status/1939478271181169145", "https://x.com/CarlyGriggs13/status/1939478679957950968", "https://x.com/CarlyGriggs13/status/1939603387512983808", "https://x.com/CarlyGriggs13/status/1939603440381911244", "https://x.com/CarlyGriggs13/status/1939603605117440050", "https://x.com/CarlyGriggs13/status/1939603804585947275", "https://x.com/CarlyGriggs13/status/1939603863704612896", "https://x.com/CarlyGriggs13/status/1939604028599460098", "https://x.com/CarlyGriggs13/status/1939604277162590470", "https://x.com/CarlyGriggs13/status/1939604568817520845", "https://x.com/CarlyGriggs13/status/1939604728452632964", "https://x.com/CarlyGriggs13/status/1939604998872277206", "https://x.com/CarlyGriggs13/status/1939605326384533728", "https://x.com/CarlyGriggs13/status/1939605382722130165", "https://x.com/CarlyGriggs13/status/1939608007639191832", "https://x.com/CarlyGriggs13/status/1939608311847948542", "https://x.com/CarlyGriggs13/status/1939608810944872873", "https://x.com/CarlyGriggs13/status/1939609536324657302", "https://x.com/CarlyGriggs13/status/1939609593543352669", "https://x.com/CarlyGriggs13/status/1939609927330238845", "https://x.com/CarlyGriggs13/status/1939610056523149760", "https://x.com/CarlyGriggs13/status/1939610111590215949", "https://x.com/CarlyGriggs13/status/1939610354666947064", "https://x.com/CarlyGriggs13/status/1939610407448281271", "https://x.com/CarlyGriggs13/status/1939610529229930681", "https://x.com/CarlyGriggs13/status/1939610584665952624", "https://x.com/CarlyGriggs13/status/1939611020953059351", "https://x.com/CarlyGriggs13/status/1939612558501007860", "https://x.com/CarlyGriggs13/status/1939613758147494200", "https://x.com/CarlyGriggs13/status/1939614083218907356", "https://x.com/CarlyGriggs13/status/1939614206325563698", "https://x.com/CarlyGriggs13/status/1939614344494436705", "https://x.com/CarlyGriggs13/status/1939614795872760106", "https://x.com/CarlyGriggs13/status/1939615094260093200", "https://x.com/CarlyGriggs13/status/1939615153957531998", "https://x.com/CarlyGriggs13/status/1939615531247538434", "https://x.com/CarlyGriggs13/status/1939615648667029778", "https://x.com/CarlyGriggs13/status/1939615707286904862", "https://x.com/CarlyGriggs13/status/1939617123716014162", "https://x.com/CarlyGriggs13/status/1939618701470535851", "https://x.com/CarlyGriggs13/status/1939619433955168442", "https://x.com/CarlyGriggs13/status/1939619507015741849", "https://x.com/CarlyGriggs13/status/1939619565094191429", "https://x.com/CarlyGriggs13/status/1939619621251997865", "https://x.com/CarlyGriggs13/status/1939619826630046113", "https://x.com/CarlyGriggs13/status/1939619884045898141", "https://x.com/CarlyGriggs13/status/1939619940102782996", "https://x.com/CarlyGriggs13/status/1939619997854355963", "https://x.com/CarlyGriggs13/status/1939620055223767542", "https://x.com/CarlyGriggs13/status/1939620773573857336", "https://x.com/CarlyGriggs13/status/1939620825776144859", "https://x.com/CarlyGriggs13/status/1939621226327970191", "https://x.com/CarlyGriggs13/status/1939621340622823655", "https://x.com/CarlyGriggs13/status/1939622063569785165", "https://x.com/CarlyGriggs13/status/1939622437135737189", "https://x.com/CarlyGriggs13/status/1939623012837543938", "https://x.com/CarlyGriggs13/status/1939623126049919100", "https://x.com/CarlyGriggs13/status/1939624400644624645", "https://x.com/CarlyGriggs13/status/1939624495515365783", "https://x.com/CarlyGriggs13/status/1939624574012059867", "https://x.com/CarlyGriggs13/status/1939624636745953396", "https://x.com/CarlyGriggs13/status/1939624774314893754", "https://x.com/CarlyGriggs13/status/1939624828933190007", "https://x.com/CarlyGriggs13/status/1939624948286517729", "https://x.com/CarlyGriggs13/status/1939625090426995040", "https://x.com/CarlyGriggs13/status/1939625262498332747", "https://x.com/CarlyGriggs13/status/1939625322011304322", "https://x.com/CarlyGriggs13/status/1939625671279444244", "https://x.com/CarlyGriggs13/status/1939625729416683945", "https://x.com/CarlyGriggs13/status/1939625788975808938", "https://x.com/CarlyGriggs13/status/1939625846937145536", "https://x.com/CarlyGriggs13/status/1939625966348951633", "https://x.com/CarlyGriggs13/status/1939627461337075886", "https://x.com/CarlyGriggs13/status/1939627633509335085", "https://x.com/CarlyGriggs13/status/1939627755848487230", "https://x.com/CarlyGriggs13/status/1939627850421727300", "https://x.com/CarlyGriggs13/status/1939627906730180933", "https://x.com/CarlyGriggs13/status/1939628107683479799", "https://x.com/CarlyGriggs13/status/1939628160913727587", "https://x.com/CarlyGriggs13/status/1939628761491661256", "https://x.com/CarlyGriggs13/status/1939629072570515537", "https://x.com/CarlyGriggs13/status/1939630146970878011", "https://x.com/CarlyGriggs13/status/1939630437032489095", "https://x.com/CarlyGriggs13/status/1939630827702292526", "https://x.com/CarlyGriggs13/status/1939632493935669268", "https://x.com/CarlyGriggs13/status/1939632882399514797", "https://x.com/CarlyGriggs13/status/1939633207449976966", "https://x.com/CarlyGriggs13/status/1939633434860908549", "https://x.com/CarlyGriggs13/status/1939635228756365368", "https://x.com/CarlyGriggs13/status/1939635935806955915", "https://x.com/CarlyGriggs13/status/1939635991469576399", "https://x.com/CarlyGriggs13/status/1939636102543065508", "https://x.com/CarlyGriggs13/status/1939636155735007274", "https://x.com/CarlyGriggs13/status/1939636317203104065", "https://x.com/CarlyGriggs13/status/1939650171849093448", "https://x.com/CarlyGriggs13/status/1939650497947865437", "https://x.com/CarlyGriggs13/status/1939653395108741341", "https://x.com/CarlyGriggs13/status/1939659802268799350", "https://x.com/CarlyGriggs13/status/1939659857587581001", "https://x.com/CarlyGriggs13/status/1939659910897152202", "https://x.com/CarlyGriggs13/status/1939680418883645713", "https://x.com/CarlyGriggs13/status/1939680472361206082", "https://x.com/CarlyGriggs13/status/1939680574152843433", "https://x.com/CarlyGriggs13/status/1939680824388952394", "https://x.com/CarlyGriggs13/status/1939680880483819986", "https://x.com/CarlyGriggs13/status/1939680980328960054", "https://x.com/CarlyGriggs13/status/1939681077611712662", "https://x.com/CarlyGriggs13/status/1939681137443676491", "https://x.com/CarlyGriggs13/status/1939681239180497145", "https://x.com/CarlyGriggs13/status/1939681299138048180", "https://x.com/CarlyGriggs13/status/1939681442944233478", "https://x.com/CarlyGriggs13/status/1939681561731068195", "https://x.com/CarlyGriggs13/status/1939681619029250145", "https://x.com/CarlyGriggs13/status/1939681674091991404", "https://x.com/CarlyGriggs13/status/1939681857114710382", "https://x.com/CarlyGriggs13/status/1939681954821026092", "https://x.com/CarlyGriggs13/status/1939685851241590922", "https://x.com/CarlyGriggs13/status/1939686106112340353", "https://x.com/CarlyGriggs13/status/1939686322253234510", "https://x.com/CarlyGriggs13/status/1939686377605738607", "https://x.com/CarlyGriggs13/status/1939686439291179223", "https://x.com/CarlyGriggs13/status/1939686601048957019", "https://x.com/CarlyGriggs13/status/1939686651694895459", "https://x.com/CarlyGriggs13/status/1939686731009409501", "https://x.com/CarlyGriggs13/status/1939686805852622889", "https://x.com/CarlyGriggs13/status/1939687074694586746", "https://x.com/CarlyGriggs13/status/1939687563238719771", "https://x.com/CarlyGriggs13/status/1939687927929282999", "https://x.com/CarlyGriggs13/status/1939688688084013510", "https://x.com/CarlyGriggs13/status/1939689136295928303", "https://x.com/CarlyGriggs13/status/1939689340440871244", "https://x.com/CarlyGriggs13/status/1939691258911281270", "https://x.com/CarlyGriggs13/status/1939691339786166494", "https://x.com/CarlyGriggs13/status/1939691464771969475", "https://x.com/CarlyGriggs13/status/1939691653880844773", "https://x.com/CarlyGriggs13/status/1939691816753770843", "https://x.com/CarlyGriggs13/status/1939691891953447290", "https://x.com/CarlyGriggs13/status/1939692051198562524", "https://x.com/CarlyGriggs13/status/1939692150918455501", "https://x.com/CarlyGriggs13/status/1939692205729296429", "https://x.com/CarlyGriggs13/status/1939692347970736543", "https://x.com/CarlyGriggs13/status/1939692429218853067", "https://x.com/CarlyGriggs13/status/1939692565575733389", "https://x.com/CarlyGriggs13/status/1939692689064378427", "https://x.com/CarlyGriggs13/status/1939692741992030710", "https://x.com/CarlyGriggs13/status/1939692804122583433", "https://x.com/CarlyGriggs13/status/1939692867338768735", "https://x.com/CarlyGriggs13/status/1939693068631851409", "https://x.com/CarlyGriggs13/status/1939694031241674953", "https://x.com/CarlyGriggs13/status/1939694575666249888", "https://x.com/CarlyGriggs13/status/1939698982588235779", "https://x.com/CarlyGriggs13/status/1939702578662510784", "https://x.com/CarlyGriggs13/status/1939702998738846196", "https://x.com/CarlyGriggs13/status/1939703057094529409", "https://x.com/CarlyGriggs13/status/1939704323220341244", "https://x.com/CarlyGriggs13/status/1939704712758001931", "https://x.com/CarlyGriggs13/status/1939707020434628812", "https://x.com/CarlyGriggs13/status/1939707506084794396", "https://x.com/CarlyGriggs13/status/1939707649328611676", "https://x.com/CarlyGriggs13/status/1939707850353414547", "https://x.com/CarlyGriggs13/status/1939708066037203244", "https://x.com/CarlyGriggs13/status/1939708123264238022", "https://x.com/CarlyGriggs13/status/1939708179669016717", "https://x.com/CarlyGriggs13/status/1939708241459499368", "https://x.com/CarlyGriggs13/status/1939708363144564950", "https://x.com/CarlyGriggs13/status/1939708486754971762", "https://x.com/CarlyGriggs13/status/1939710992734191701", "https://x.com/CarlyGriggs13/status/1939711334431543576", "https://x.com/CarlyGriggs13/status/1939711789341524470", "https://x.com/CarlyGriggs13/status/1939711886242546137", "https://x.com/CarlyGriggs13/status/1939711946078777769", "https://x.com/CarlyGriggs13/status/1939712249678975404", "https://x.com/CarlyGriggs13/status/1939712310505066650", "https://x.com/CarlyGriggs13/status/1939712364728758459", "https://x.com/CarlyGriggs13/status/1939712802429587694", "https://x.com/CarlyGriggs13/status/1939713508930695295", "https://x.com/CarlyGriggs13/status/1939713565914517685", "https://x.com/CarlyGriggs13/status/1939716326114595217", "https://x.com/CarlyGriggs13/status/1939716574954541243", "https://x.com/CarlyGriggs13/status/1939716698661175554", "https://x.com/CarlyGriggs13/status/1939716817083093317", "https://x.com/CarlyGriggs13/status/1939717255186530413", "https://x.com/CarlyGriggs13/status/1939717311268782505", "https://x.com/CarlyGriggs13/status/1939718339405721927", "https://x.com/CarlyGriggs13/status/1939718395538382912", "https://x.com/CarlyGriggs13/status/1939720864167309481", "https://x.com/CarlyGriggs13/status/1939720955187613810", "https://x.com/CarlyGriggs13/status/1939721076776292543", "https://x.com/CarlyGriggs13/status/1939721367819292858", "https://x.com/CarlyGriggs13/status/1939728327662870787", "https://x.com/CarlyGriggs13/status/1939728752910774376", "https://x.com/CarlyGriggs13/status/1939729002522190330", "https://x.com/CarlyGriggs13/status/1939729215143714986", "https://x.com/CarlyGriggs13/status/1939729444999979142", "https://x.com/CarlyGriggs13/status/1939729507579306372", "https://x.com/CarlyGriggs13/status/1939729632959353264", "https://x.com/CarlyGriggs13/status/1939729706020229612", "https://x.com/CarlyGriggs13/status/1939729755521040649", "https://x.com/CarlyGriggs13/status/1939729810495778898", "https://x.com/CarlyGriggs13/status/1939729868595560874", "https://x.com/CarlyGriggs13/status/1939729926703165896", "https://x.com/CarlyGriggs13/status/1939731861854724456", "https://x.com/CarlyGriggs13/status/1939732169221398769", "https://x.com/CarlyGriggs13/status/1939732230949003354", "https://x.com/CarlyGriggs13/status/1939732567311491295", "https://x.com/CarlyGriggs13/status/1939732616736890978", "https://x.com/CarlyGriggs13/status/1939732673431323033", "https://x.com/CarlyGriggs13/status/1939736185623949786", "https://x.com/CarlyGriggs13/status/1939736585731547462", "https://x.com/CarlyGriggs13/status/1939736715482006004", "https://x.com/CarlyGriggs13/status/1939737053606158609", "https://x.com/CarlyGriggs13/status/1939737178017235116", "https://x.com/CarlyGriggs13/status/1939737386260349392", "https://x.com/CarlyGriggs13/status/1939741632187756791", "https://x.com/CarlyGriggs13/status/1939744181364089226", "https://x.com/CarlyGriggs13/status/1939744639759659511", "https://x.com/CarlyGriggs13/status/1939750101901353299", "https://x.com/CarlyGriggs13/status/1939750443841716255", "https://x.com/CarlyGriggs13/status/1939751768189280349", "https://x.com/CarlyGriggs13/status/1939752080186491207", "https://x.com/CarlyGriggs13/status/1939752407291842778", "https://x.com/CarlyGriggs13/status/1939752574250336311", "https://x.com/CarlyGriggs13/status/1939754174805168619", "https://x.com/CarlyGriggs13/status/1939755835980411377", "https://x.com/CarlyGriggs13/status/1939756979985293782", "https://x.com/CarlyGriggs13/status/1939759196712706378", "https://x.com/CarlyGriggs13/status/1939759255868870789", "https://x.com/CarlyGriggs13/status/1939759375742062746", "https://x.com/CarlyGriggs13/status/1939761102222430642", "https://x.com/CarlyGriggs13/status/1939761164130410580", "https://x.com/CarlyGriggs13/status/1939762540117975491", "https://x.com/CarlyGriggs13/status/1939762724080132149", "https://x.com/CarlyGriggs13/status/1939762849980522564", "https://x.com/CarlyGriggs13/status/1939763022383452166", "https://x.com/CarlyGriggs13/status/1939763080499691778", "https://x.com/CarlyGriggs13/status/1939763147121766798", "https://x.com/CarlyGriggs13/status/1939763272770609580", "https://x.com/CarlyGriggs13/status/1939763334712332365", "https://x.com/CarlyGriggs13/status/1939763393520341284", "https://x.com/CarlyGriggs13/status/1939763451728986221", "https://x.com/CarlyGriggs13/status/1939763506330341812", "https://x.com/CarlyGriggs13/status/1939763565763690867", "https://x.com/CarlyGriggs13/status/1939763694642372640", "https://x.com/CarlyGriggs13/status/1939768508771893477", "https://x.com/CarlyGriggs13/status/1939769456491995208", "https://x.com/CarlyGriggs13/status/1939773147382751262", "https://x.com/CarlyGriggs13/status/1939806212746568106", "https://x.com/CarlyGriggs13/status/1939808445110141321" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 250, "domain": 201 }, "indicator_count": 485, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68837bfd1e1f57f512edc8e5", "name": "soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload", "description": "", "modified": "2025-07-25T12:43:41.340000", "created": "2025-07-25T12:43:41.340000", "tags": [ "research", "vulnerabilities", "strong", "elf malware", "sha256", "defense evasion", "soco404", "postgresql", "linux", "devnull", "windows malware", "payload", "persistence", "powershell", "grep", "path", "execution", "copy", "kill", "malware", "xmrig", "possible", "impact", "sharepoint", "footer" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#iocs-77" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "URL": 2, "domain": 6, "hostname": 2 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "309 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6882ee699d0263126091241e", "name": "IOC - Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload", "description": "", "modified": "2025-07-25T02:39:37.947000", "created": "2025-07-25T02:39:37.947000", "tags": [ "process-masquerading", "multiplatform", "fake-404-pages", "cryptomining", "cve-2025-24813", "compromised-servers", "postgresql", "persistence", "crypto-scam", "soco404" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Korea, Republic of" ], "malware_families": [ { "id": "Soco404", "display_name": "Soco404", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6881ee43ee57a9877a635012", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "URL": 2, "domain": 6, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "310 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6881acaffcbc5b1e7c7fa881", "name": "Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload.", "description": "Wiz Research has observed a new phase of a malicious cryptomining campaign termed Soco404, which utilizes advanced techniques to exploit vulnerabilities in cloud environments, specifically focusing on misconfigurations in PostgreSQL databases. The campaign deploys malware that targets both Linux and Windows systems by using compromised servers to deliver DLL files and executables. The attackers employ a variety of legitimate utilities, such as certutil, PowerShell's Invoke-WebRequest, and curl, to enhance their chances of successfully downloading and executing malicious binaries like ok.exe in Windows environments. These binaries are often retrieved to public directories, which are easily writable, facilitating their installation.", "modified": "2025-07-24T03:46:55.856000", "created": "2025-07-24T03:46:55.856000", "tags": [ "research", "vulnerabilities", "strong", "elf malware", "sha256", "defense evasion", "soco404", "postgresql", "linux", "devnull", "windows malware", "payload", "persistence", "powershell", "grep", "path", "execution", "copy", "kill", "malware", "xmrig", "possible", "impact", "sharepoint", "footer", "crypto scam", "files", "mining pool", "attacker" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 26, "URL": 2, "domain": 6, "hostname": 2 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "311 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/CarlyGriggs13/status/1939619621251997865", "https://x.com/CarlyGriggs13/status/1939627906730180933", "https://x.com/CarlyGriggs13/status/1939736185623949786", "https://x.com/CarlyGriggs13/status/1939650497947865437", "https://x.com/CarlyGriggs13/status/1939604728452632964", "https://x.com/CarlyGriggs13/status/1939689136295928303", "https://x.com/CarlyGriggs13/status/1939692429218853067", "https://x.com/CarlyGriggs13/status/1939732567311491295", "https://x.com/CarlyGriggs13/status/1939692205729296429", "https://x.com/CarlyGriggs13/status/1939630146970878011", "https://x.com/CarlyGriggs13/status/1939721076776292543", "https://x.com/CarlyGriggs13/status/1939712249678975404", "https://x.com/CarlyGriggs13/status/1939716698661175554", "https://x.com/CarlyGriggs13/status/1939721367819292858", "https://x.com/CarlyGriggs13/status/1939729706020229612", "https://x.com/CarlyGriggs13/status/1939729002522190330", "https://x.com/CarlyGriggs13/status/1939768508771893477", "https://x.com/CarlyGriggs13/status/1939737178017235116", "https://x.com/CarlyGriggs13/status/1939708123264238022", "https://x.com/CarlyGriggs13/status/1939630437032489095", "https://x.com/CarlyGriggs13/status/1939692150918455501", "https://x.com/CarlyGriggs13/status/1939752574250336311", "https://x.com/CarlyGriggs13/status/1939741632187756791", "https://x.com/CarlyGriggs13/status/1939608311847948542", "https://x.com/CarlyGriggs13/status/1939632493935669268", "https://x.com/CarlyGriggs13/status/1939707649328611676", "https://x.com/CarlyGriggs13/status/1939613758147494200", "https://x.com/CarlyGriggs13/status/1939604998872277206", "https://x.com/CarlyGriggs13/status/1939609536324657302", "https://x.com/CarlyGriggs13/status/1939692804122583433", "https://x.com/CarlyGriggs13/status/1939612558501007860", "https://x.com/CarlyGriggs13/status/1939737053606158609", "https://x.com/CarlyGriggs13/status/1939694575666249888", "https://x.com/CarlyGriggs13/status/1939716817083093317", "https://x.com/CarlyGriggs13/status/1939729444999979142", "https://x.com/CarlyGriggs13/status/1939762724080132149", "https://x.com/CarlyGriggs13/status/1939620055223767542", "https://x.com/CarlyGriggs13/status/1939605326384533728", "https://x.com/CarlyGriggs13/status/1939713508930695295", "https://x.com/CarlyGriggs13/status/1939759255868870789", "https://x.com/CarlyGriggs13/status/1939625322011304322", "https://x.com/CarlyGriggs13/status/1939756979985293782", "https://x.com/CarlyGriggs13/status/1939698982588235779", "https://x.com/CarlyGriggs13/status/1939686731009409501", "https://x.com/CarlyGriggs13/status/1939720955187613810", "https://x.com/CarlyGriggs13/status/1939761102222430642", "https://x.com/CarlyGriggs13/status/1939635991469576399", "https://x.com/CarlyGriggs13/status/1939703057094529409", "https://x.com/CarlyGriggs13/status/1939478679957950968", "https://x.com/CarlyGriggs13/status/1939681954821026092", "https://x.com/CarlyGriggs13/status/1939624774314893754", "https://x.com/CarlyGriggs13/status/1939685851241590922", "https://x.com/CarlyGriggs13/status/1939708486754971762", "https://x.com/CarlyGriggs13/status/1939711946078777769", "https://x.com/CarlyGriggs13/status/1939712802429587694", "https://x.com/CarlyGriggs13/status/1939680824388952394", "https://x.com/CarlyGriggs13/status/1939625788975808938", "https://x.com/CarlyGriggs13/status/1939621226327970191", "https://x.com/CarlyGriggs13/status/1939625262498332747", "https://x.com/CarlyGriggs13/status/1939624828933190007", "https://x.com/CarlyGriggs13/status/1939603440381911244", "https://x.com/CarlyGriggs13/status/1939763022383452166", "https://x.com/CarlyGriggs13/status/1939624948286517729", "https://x.com/CarlyGriggs13/status/1939659857587581001", "https://x.com/CarlyGriggs13/status/1939627755848487230", "https://x.com/CarlyGriggs13/status/1939729632959353264", "https://x.com/CarlyGriggs13/status/1939763080499691778", "https://x.com/CarlyGriggs13/status/1939608810944872873", "https://x.com/CarlyGriggs13/status/1939763506330341812", "https://x.com/CarlyGriggs13/status/1939681137443676491", "https://x.com/CarlyGriggs13/status/1939687563238719771", "https://x.com/CarlyGriggs13/status/1939622063569785165", "https://x.com/CarlyGriggs13/status/1939729215143714986", "https://x.com/CarlyGriggs13/status/1939731861854724456", "https://x.com/CarlyGriggs13/status/1939635228756365368", "https://x.com/CarlyGriggs13/status/1939691258911281270", "https://x.com/CarlyGriggs13/status/1939729507579306372", "https://x.com/CarlyGriggs13/status/1939736715482006004", "https://x.com/CarlyGriggs13/status/1939763334712332365", "https://x.com/CarlyGriggs13/status/1939686439291179223", "https://x.com/CarlyGriggs13/status/1939692689064378427", "https://x.com/CarlyGriggs13/status/1939692867338768735", "https://x.com/CarlyGriggs13/status/1939759375742062746", "https://x.com/CarlyGriggs13/status/1939681442944233478", "https://x.com/CarlyGriggs13/status/1939713565914517685", "https://x.com/CarlyGriggs13/status/1939624400644624645", "https://x.com/CarlyGriggs13/status/1939608007639191832", "https://x.com/CarlyGriggs13/status/1939761164130410580", "https://x.com/CarlyGriggs13/status/1939614795872760106", "https://x.com/CarlyGriggs13/status/1939716326114595217", "https://x.com/CarlyGriggs13/status/1939691891953447290", "https://x.com/CarlyGriggs13/status/1939689340440871244", "https://x.com/CarlyGriggs13/status/1939720864167309481", "https://x.com/CarlyGriggs13/status/1939728327662870787", "https://x.com/CarlyGriggs13/status/1939729868595560874", "https://x.com/CarlyGriggs13/status/1939681674091991404", "https://x.com/CarlyGriggs13/status/1939629072570515537", "https://x.com/CarlyGriggs13/status/1939691816753770843", "https://x.com/CarlyGriggs13/status/1939603804585947275", "https://x.com/CarlyGriggs13/status/1939623126049919100", "https://x.com/CarlyGriggs13/status/1939717311268782505", "https://x.com/CarlyGriggs13/status/1939478168760377619", "https://x.com/CarlyGriggs13/status/1939605382722130165", "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload", "https://x.com/CarlyGriggs13/status/1939744639759659511", "https://x.com/CarlyGriggs13/status/1939610056523149760", "https://x.com/CarlyGriggs13/status/1939681561731068195", "https://x.com/CarlyGriggs13/status/1939692347970736543", "https://x.com/CarlyGriggs13/status/1939752080186491207", "https://x.com/CarlyGriggs13/status/1939614083218907356", "https://x.com/CarlyGriggs13/status/1939625729416683945", "https://x.com/CarlyGriggs13/status/1939691339786166494", "https://x.com/CarlyGriggs13/status/1939691653880844773", "https://x.com/CarlyGriggs13/status/1939619997854355963", "https://x.com/CarlyGriggs13/status/1939732169221398769", "https://x.com/CarlyGriggs13/status/1939619940102782996", "https://x.com/CarlyGriggs13/status/1939610407448281271", "https://x.com/CarlyGriggs13/status/1939635935806955915", "https://x.com/CarlyGriggs13/status/1939732673431323033", "https://x.com/CarlyGriggs13/status/1939729755521040649", "https://x.com/CarlyGriggs13/status/1939636102543065508", "https://x.com/CarlyGriggs13/status/1939711789341524470", "https://x.com/CarlyGriggs13/status/1939737386260349392", "https://x.com/CarlyGriggs13/status/1939477801020928296", "https://x.com/CarlyGriggs13/status/1939653395108741341", "https://x.com/CarlyGriggs13/status/1939636155735007274", "https://x.com/CarlyGriggs13/status/1939680418883645713", "https://x.com/CarlyGriggs13/status/1939615531247538434", "https://x.com/CarlyGriggs13/status/1939603863704612896", "https://x.com/CarlyGriggs13/status/1939610354666947064", "https://x.com/CarlyGriggs13/status/1939686322253234510", "https://x.com/CarlyGriggs13/status/1939702578662510784", "https://x.com/CarlyGriggs13/status/1939750443841716255", "https://x.com/CarlyGriggs13/status/1939625090426995040", "https://x.com/CarlyGriggs13/status/1939614344494436705", "https://x.com/CarlyGriggs13/status/1939712364728758459", "https://x.com/CarlyGriggs13/status/1939620773573857336", "https://x.com/CarlyGriggs13/status/1939687927929282999", "https://x.com/CarlyGriggs13/status/1939704712758001931", "https://x.com/CarlyGriggs13/status/1939702998738846196", "https://x.com/CarlyGriggs13/status/1939603605117440050", "Emmenhtal.pdf", "https://x.com/CarlyGriggs13/status/1939763147121766798", "https://x.com/CarlyGriggs13/status/1939680880483819986", "https://x.com/CarlyGriggs13/status/1939763393520341284", "https://x.com/CarlyGriggs13/status/1939622437135737189", "https://x.com/CarlyGriggs13/status/1939623012837543938", "https://x.com/CarlyGriggs13/status/1939716574954541243", "https://x.com/CarlyGriggs13/status/1939604028599460098", "https://x.com/CarlyGriggs13/status/1939615707286904862", "https://x.com/CarlyGriggs13/status/1939628107683479799", "https://x.com/CarlyGriggs13/status/1939619507015741849", "https://x.com/CarlyGriggs13/status/1939707850353414547", "https://x.com/CarlyGriggs13/status/1939615648667029778", "https://x.com/CarlyGriggs13/status/1939710992734191701", "https://x.com/CarlyGriggs13/status/1939681619029250145", "https://x.com/CarlyGriggs13/status/1939729810495778898", "https://x.com/CarlyGriggs13/status/1939618701470535851", "https://x.com/CarlyGriggs13/status/1939806212746568106", "https://x.com/CarlyGriggs13/status/1939773147382751262", "https://x.com/CarlyGriggs13/status/1939694031241674953", "https://x.com/CarlyGriggs13/status/1939763451728986221", "https://x.com/CarlyGriggs13/status/1939621340622823655", "https://x.com/CarlyGriggs13/status/1939763565763690867", "https://x.com/CarlyGriggs13/status/1939659910897152202", "https://x.com/CarlyGriggs13/status/1939627633509335085", "https://x.com/CarlyGriggs13/status/1939619565094191429", "https://x.com/CarlyGriggs13/status/1939693068631851409", "https://x.com/CarlyGriggs13/status/1939717255186530413", "https://x.com/CarlyGriggs13/status/1939609593543352669", "https://x.com/CarlyGriggs13/status/1939729926703165896", "https://x.com/CarlyGriggs13/status/1939686377605738607", "https://x.com/CarlyGriggs13/status/1939692565575733389", "https://x.com/CarlyGriggs13/status/1939620825776144859", "https://x.com/CarlyGriggs13/status/1939704323220341244", "https://x.com/CarlyGriggs13/status/1939751768189280349", "https://x.com/CarlyGriggs13/status/1939686651694895459", "https://x.com/CarlyGriggs13/status/1939610111590215949", "https://x.com/CarlyGriggs13/status/1939477860164800960", "https://x.com/CarlyGriggs13/status/1939615153957531998", "https://x.com/CarlyGriggs13/status/1939736585731547462", "https://x.com/CarlyGriggs13/status/1939755835980411377", "https://x.com/CarlyGriggs13/status/1939707506084794396", "https://x.com/CarlyGriggs13/status/1939632882399514797", "https://x.com/CarlyGriggs13/status/1939628761491661256", "https://x.com/CarlyGriggs13/status/1939718339405721927", "https://x.com/CarlyGriggs13/status/1939711886242546137", "https://x.com/CarlyGriggs13/status/1939744181364089226", "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#iocs-77", "https://x.com/CarlyGriggs13/status/1939718395538382912", "https://x.com/CarlyGriggs13/status/1939752407291842778", "https://x.com/CarlyGriggs13/status/1939681857114710382", "https://x.com/CarlyGriggs13/status/1939769456491995208", "https://x.com/CarlyGriggs13/status/1939759196712706378", "https://x.com/CarlyGriggs13/status/1939478271181169145", "https://x.com/CarlyGriggs13/status/1939808445110141321", "https://x.com/CarlyGriggs13/status/1939680574152843433", "https://x.com/CarlyGriggs13/status/1939688688084013510", "https://x.com/CarlyGriggs13/status/1939728752910774376", "https://x.com/CarlyGriggs13/status/1939636317203104065", "https://x.com/CarlyGriggs13/status/1939708179669016717", "https://x.com/CarlyGriggs13/status/1939625671279444244", "https://x.com/CarlyGriggs13/status/1939650171849093448", "https://x.com/CarlyGriggs13/status/1939712310505066650", "https://x.com/CarlyGriggs13/status/1939617123716014162", "https://x.com/CarlyGriggs13/status/1939754174805168619", "https://x.com/CarlyGriggs13/status/1939763694642372640", "https://x.com/CarlyGriggs13/status/1939659802268799350", "https://x.com/CarlyGriggs13/status/1939604277162590470", "https://x.com/CarlyGriggs13/status/1939624495515365783", "https://x.com/CarlyGriggs13/status/1939630827702292526", "https://x.com/CarlyGriggs13/status/1939627850421727300", "https://x.com/CarlyGriggs13/status/1939625846937145536", "https://x.com/CarlyGriggs13/status/1939762540117975491", "https://x.com/CarlyGriggs13/status/1939691464771969475", "https://x.com/CarlyGriggs13/status/1939478219742142471", "https://x.com/CarlyGriggs13/status/1939692051198562524", "https://x.com/CarlyGriggs13/status/1939633434860908549", "https://x.com/CarlyGriggs13/status/1939604568817520845", "https://x.com/CarlyGriggs13/status/1939763272770609580", "https://x.com/CarlyGriggs13/status/1939603387512983808", "https://x.com/CarlyGriggs13/status/1939708363144564950", "https://x.com/CarlyGriggs13/status/1939680980328960054", "https://x.com/CarlyGriggs13/status/1939681077611712662", "https://x.com/CarlyGriggs13/status/1939611020953059351", "https://x.com/CarlyGriggs13/status/1939610529229930681", "https://x.com/CarlyGriggs13/status/1939625966348951633", "https://x.com/CarlyGriggs13/status/1939614206325563698", "https://x.com/CarlyGriggs13/status/1939624574012059867", "https://x.com/CarlyGriggs13/status/1939628160913727587", "https://x.com/CarlyGriggs13/status/1939750101901353299", "https://x.com/CarlyGriggs13/status/1939615094260093200", "https://x.com/CarlyGriggs13/status/1939633207449976966", "https://x.com/CarlyGriggs13/status/1939624636745953396", "https://x.com/CarlyGriggs13/status/1939686601048957019", "https://x.com/CarlyGriggs13/status/1939762849980522564", "https://x.com/CarlyGriggs13/status/1939692741992030710", "https://x.com/CarlyGriggs13/status/1939619433955168442", "https://x.com/CarlyGriggs13/status/1939619884045898141", "https://x.com/CarlyGriggs13/status/1939708241459499368", "https://x.com/CarlyGriggs13/status/1939681299138048180", "https://x.com/CarlyGriggs13/status/1939609927330238845", "https://x.com/CarlyGriggs13/status/1939681239180497145", "https://x.com/CarlyGriggs13/status/1939711334431543576", "https://x.com/CarlyGriggs13/status/1939732230949003354", "https://x.com/CarlyGriggs13/status/1939686106112340353", "https://x.com/CarlyGriggs13/status/1939687074694586746", "https://x.com/CarlyGriggs13/status/1939610584665952624", "https://x.com/CarlyGriggs13/status/1939619826630046113", "https://x.com/CarlyGriggs13/status/1939627461337075886", "https://x.com/CarlyGriggs13/status/1939708066037203244", "https://x.com/CarlyGriggs13/status/1939686805852622889", "https://x.com/CarlyGriggs13/status/1939680472361206082", "https://x.com/CarlyGriggs13/status/1939732616736890978", "https://x.com/CarlyGriggs13/status/1939707020434628812" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Soco404" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Soco404" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6881ee43ee57a9877a635012", "name": "Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload", "description": "A new iteration of a broad cryptomining campaign, dubbed Soco404, has been identified. The attackers exploit vulnerabilities in cloud environments, particularly targeting PostgreSQL misconfigurations, to deploy cryptominers on both Linux and Windows systems. They use process masquerading, achieve persistence via cron jobs and shell initialization files, and rely on compromised legitimate servers for malware hosting. The malware communicates via local sockets and embeds payloads in fake 404 HTML pages on Google Sites. The campaign is part of a larger crypto-scam infrastructure, demonstrating a versatile and opportunistic operation. The attackers use multiple ingress tools and target various entry points, showing a flexible approach to maximize reach and persistence across diverse targets.", "modified": "2025-07-24T09:11:15.290000", "created": "2025-07-24T08:26:43.473000", "tags": [ "process-masquerading", "multiplatform", "fake-404-pages", "cryptomining", "cve-2025-24813", "compromised-servers", "postgresql", "persistence", "crypto-scam", "soco404" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Korea, Republic of" ], "malware_families": [ { "id": "Soco404", "display_name": "Soco404", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "URL": 2, "domain": 6, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68632cd7f6f2c2576c839a75", "name": "Twitter Feed - CarlyGriggs13 - 30-06-2025", "description": "", "modified": "2025-07-31T00:00:48.083000", "created": "2025-07-01T00:33:27.246000", "tags": [ "phishing", "ransomware" ], "references": [ "https://x.com/CarlyGriggs13/status/1939477801020928296", "https://x.com/CarlyGriggs13/status/1939477860164800960", "https://x.com/CarlyGriggs13/status/1939478168760377619", "https://x.com/CarlyGriggs13/status/1939478219742142471", "https://x.com/CarlyGriggs13/status/1939478271181169145", "https://x.com/CarlyGriggs13/status/1939478679957950968", "https://x.com/CarlyGriggs13/status/1939603387512983808", "https://x.com/CarlyGriggs13/status/1939603440381911244", "https://x.com/CarlyGriggs13/status/1939603605117440050", "https://x.com/CarlyGriggs13/status/1939603804585947275", "https://x.com/CarlyGriggs13/status/1939603863704612896", "https://x.com/CarlyGriggs13/status/1939604028599460098", "https://x.com/CarlyGriggs13/status/1939604277162590470", "https://x.com/CarlyGriggs13/status/1939604568817520845", "https://x.com/CarlyGriggs13/status/1939604728452632964", "https://x.com/CarlyGriggs13/status/1939604998872277206", "https://x.com/CarlyGriggs13/status/1939605326384533728", "https://x.com/CarlyGriggs13/status/1939605382722130165", "https://x.com/CarlyGriggs13/status/1939608007639191832", "https://x.com/CarlyGriggs13/status/1939608311847948542", "https://x.com/CarlyGriggs13/status/1939608810944872873", "https://x.com/CarlyGriggs13/status/1939609536324657302", "https://x.com/CarlyGriggs13/status/1939609593543352669", "https://x.com/CarlyGriggs13/status/1939609927330238845", "https://x.com/CarlyGriggs13/status/1939610056523149760", "https://x.com/CarlyGriggs13/status/1939610111590215949", "https://x.com/CarlyGriggs13/status/1939610354666947064", "https://x.com/CarlyGriggs13/status/1939610407448281271", "https://x.com/CarlyGriggs13/status/1939610529229930681", "https://x.com/CarlyGriggs13/status/1939610584665952624", "https://x.com/CarlyGriggs13/status/1939611020953059351", "https://x.com/CarlyGriggs13/status/1939612558501007860", "https://x.com/CarlyGriggs13/status/1939613758147494200", "https://x.com/CarlyGriggs13/status/1939614083218907356", "https://x.com/CarlyGriggs13/status/1939614206325563698", "https://x.com/CarlyGriggs13/status/1939614344494436705", "https://x.com/CarlyGriggs13/status/1939614795872760106", "https://x.com/CarlyGriggs13/status/1939615094260093200", "https://x.com/CarlyGriggs13/status/1939615153957531998", "https://x.com/CarlyGriggs13/status/1939615531247538434", "https://x.com/CarlyGriggs13/status/1939615648667029778", "https://x.com/CarlyGriggs13/status/1939615707286904862", "https://x.com/CarlyGriggs13/status/1939617123716014162", "https://x.com/CarlyGriggs13/status/1939618701470535851", "https://x.com/CarlyGriggs13/status/1939619433955168442", "https://x.com/CarlyGriggs13/status/1939619507015741849", "https://x.com/CarlyGriggs13/status/1939619565094191429", "https://x.com/CarlyGriggs13/status/1939619621251997865", "https://x.com/CarlyGriggs13/status/1939619826630046113", "https://x.com/CarlyGriggs13/status/1939619884045898141", "https://x.com/CarlyGriggs13/status/1939619940102782996", "https://x.com/CarlyGriggs13/status/1939619997854355963", "https://x.com/CarlyGriggs13/status/1939620055223767542", "https://x.com/CarlyGriggs13/status/1939620773573857336", "https://x.com/CarlyGriggs13/status/1939620825776144859", "https://x.com/CarlyGriggs13/status/1939621226327970191", "https://x.com/CarlyGriggs13/status/1939621340622823655", "https://x.com/CarlyGriggs13/status/1939622063569785165", "https://x.com/CarlyGriggs13/status/1939622437135737189", "https://x.com/CarlyGriggs13/status/1939623012837543938", "https://x.com/CarlyGriggs13/status/1939623126049919100", "https://x.com/CarlyGriggs13/status/1939624400644624645", "https://x.com/CarlyGriggs13/status/1939624495515365783", "https://x.com/CarlyGriggs13/status/1939624574012059867", "https://x.com/CarlyGriggs13/status/1939624636745953396", "https://x.com/CarlyGriggs13/status/1939624774314893754", "https://x.com/CarlyGriggs13/status/1939624828933190007", "https://x.com/CarlyGriggs13/status/1939624948286517729", "https://x.com/CarlyGriggs13/status/1939625090426995040", "https://x.com/CarlyGriggs13/status/1939625262498332747", "https://x.com/CarlyGriggs13/status/1939625322011304322", "https://x.com/CarlyGriggs13/status/1939625671279444244", "https://x.com/CarlyGriggs13/status/1939625729416683945", "https://x.com/CarlyGriggs13/status/1939625788975808938", "https://x.com/CarlyGriggs13/status/1939625846937145536", "https://x.com/CarlyGriggs13/status/1939625966348951633", "https://x.com/CarlyGriggs13/status/1939627461337075886", "https://x.com/CarlyGriggs13/status/1939627633509335085", "https://x.com/CarlyGriggs13/status/1939627755848487230", "https://x.com/CarlyGriggs13/status/1939627850421727300", "https://x.com/CarlyGriggs13/status/1939627906730180933", "https://x.com/CarlyGriggs13/status/1939628107683479799", "https://x.com/CarlyGriggs13/status/1939628160913727587", "https://x.com/CarlyGriggs13/status/1939628761491661256", "https://x.com/CarlyGriggs13/status/1939629072570515537", "https://x.com/CarlyGriggs13/status/1939630146970878011", "https://x.com/CarlyGriggs13/status/1939630437032489095", "https://x.com/CarlyGriggs13/status/1939630827702292526", "https://x.com/CarlyGriggs13/status/1939632493935669268", "https://x.com/CarlyGriggs13/status/1939632882399514797", "https://x.com/CarlyGriggs13/status/1939633207449976966", "https://x.com/CarlyGriggs13/status/1939633434860908549", "https://x.com/CarlyGriggs13/status/1939635228756365368", "https://x.com/CarlyGriggs13/status/1939635935806955915", "https://x.com/CarlyGriggs13/status/1939635991469576399", "https://x.com/CarlyGriggs13/status/1939636102543065508", "https://x.com/CarlyGriggs13/status/1939636155735007274", "https://x.com/CarlyGriggs13/status/1939636317203104065", "https://x.com/CarlyGriggs13/status/1939650171849093448", "https://x.com/CarlyGriggs13/status/1939650497947865437", "https://x.com/CarlyGriggs13/status/1939653395108741341", "https://x.com/CarlyGriggs13/status/1939659802268799350", "https://x.com/CarlyGriggs13/status/1939659857587581001", "https://x.com/CarlyGriggs13/status/1939659910897152202", "https://x.com/CarlyGriggs13/status/1939680418883645713", "https://x.com/CarlyGriggs13/status/1939680472361206082", "https://x.com/CarlyGriggs13/status/1939680574152843433", "https://x.com/CarlyGriggs13/status/1939680824388952394", "https://x.com/CarlyGriggs13/status/1939680880483819986", "https://x.com/CarlyGriggs13/status/1939680980328960054", "https://x.com/CarlyGriggs13/status/1939681077611712662", "https://x.com/CarlyGriggs13/status/1939681137443676491", "https://x.com/CarlyGriggs13/status/1939681239180497145", "https://x.com/CarlyGriggs13/status/1939681299138048180", "https://x.com/CarlyGriggs13/status/1939681442944233478", "https://x.com/CarlyGriggs13/status/1939681561731068195", "https://x.com/CarlyGriggs13/status/1939681619029250145", "https://x.com/CarlyGriggs13/status/1939681674091991404", "https://x.com/CarlyGriggs13/status/1939681857114710382", "https://x.com/CarlyGriggs13/status/1939681954821026092", "https://x.com/CarlyGriggs13/status/1939685851241590922", "https://x.com/CarlyGriggs13/status/1939686106112340353", "https://x.com/CarlyGriggs13/status/1939686322253234510", "https://x.com/CarlyGriggs13/status/1939686377605738607", "https://x.com/CarlyGriggs13/status/1939686439291179223", "https://x.com/CarlyGriggs13/status/1939686601048957019", "https://x.com/CarlyGriggs13/status/1939686651694895459", "https://x.com/CarlyGriggs13/status/1939686731009409501", "https://x.com/CarlyGriggs13/status/1939686805852622889", "https://x.com/CarlyGriggs13/status/1939687074694586746", "https://x.com/CarlyGriggs13/status/1939687563238719771", "https://x.com/CarlyGriggs13/status/1939687927929282999", "https://x.com/CarlyGriggs13/status/1939688688084013510", "https://x.com/CarlyGriggs13/status/1939689136295928303", "https://x.com/CarlyGriggs13/status/1939689340440871244", "https://x.com/CarlyGriggs13/status/1939691258911281270", "https://x.com/CarlyGriggs13/status/1939691339786166494", "https://x.com/CarlyGriggs13/status/1939691464771969475", "https://x.com/CarlyGriggs13/status/1939691653880844773", "https://x.com/CarlyGriggs13/status/1939691816753770843", "https://x.com/CarlyGriggs13/status/1939691891953447290", "https://x.com/CarlyGriggs13/status/1939692051198562524", "https://x.com/CarlyGriggs13/status/1939692150918455501", "https://x.com/CarlyGriggs13/status/1939692205729296429", "https://x.com/CarlyGriggs13/status/1939692347970736543", "https://x.com/CarlyGriggs13/status/1939692429218853067", "https://x.com/CarlyGriggs13/status/1939692565575733389", "https://x.com/CarlyGriggs13/status/1939692689064378427", "https://x.com/CarlyGriggs13/status/1939692741992030710", "https://x.com/CarlyGriggs13/status/1939692804122583433", "https://x.com/CarlyGriggs13/status/1939692867338768735", "https://x.com/CarlyGriggs13/status/1939693068631851409", "https://x.com/CarlyGriggs13/status/1939694031241674953", "https://x.com/CarlyGriggs13/status/1939694575666249888", "https://x.com/CarlyGriggs13/status/1939698982588235779", "https://x.com/CarlyGriggs13/status/1939702578662510784", "https://x.com/CarlyGriggs13/status/1939702998738846196", "https://x.com/CarlyGriggs13/status/1939703057094529409", "https://x.com/CarlyGriggs13/status/1939704323220341244", "https://x.com/CarlyGriggs13/status/1939704712758001931", "https://x.com/CarlyGriggs13/status/1939707020434628812", "https://x.com/CarlyGriggs13/status/1939707506084794396", "https://x.com/CarlyGriggs13/status/1939707649328611676", "https://x.com/CarlyGriggs13/status/1939707850353414547", "https://x.com/CarlyGriggs13/status/1939708066037203244", "https://x.com/CarlyGriggs13/status/1939708123264238022", "https://x.com/CarlyGriggs13/status/1939708179669016717", "https://x.com/CarlyGriggs13/status/1939708241459499368", "https://x.com/CarlyGriggs13/status/1939708363144564950", "https://x.com/CarlyGriggs13/status/1939708486754971762", "https://x.com/CarlyGriggs13/status/1939710992734191701", "https://x.com/CarlyGriggs13/status/1939711334431543576", "https://x.com/CarlyGriggs13/status/1939711789341524470", "https://x.com/CarlyGriggs13/status/1939711886242546137", "https://x.com/CarlyGriggs13/status/1939711946078777769", "https://x.com/CarlyGriggs13/status/1939712249678975404", "https://x.com/CarlyGriggs13/status/1939712310505066650", "https://x.com/CarlyGriggs13/status/1939712364728758459", "https://x.com/CarlyGriggs13/status/1939712802429587694", "https://x.com/CarlyGriggs13/status/1939713508930695295", "https://x.com/CarlyGriggs13/status/1939713565914517685", "https://x.com/CarlyGriggs13/status/1939716326114595217", "https://x.com/CarlyGriggs13/status/1939716574954541243", "https://x.com/CarlyGriggs13/status/1939716698661175554", "https://x.com/CarlyGriggs13/status/1939716817083093317", "https://x.com/CarlyGriggs13/status/1939717255186530413", "https://x.com/CarlyGriggs13/status/1939717311268782505", "https://x.com/CarlyGriggs13/status/1939718339405721927", "https://x.com/CarlyGriggs13/status/1939718395538382912", "https://x.com/CarlyGriggs13/status/1939720864167309481", "https://x.com/CarlyGriggs13/status/1939720955187613810", "https://x.com/CarlyGriggs13/status/1939721076776292543", "https://x.com/CarlyGriggs13/status/1939721367819292858", "https://x.com/CarlyGriggs13/status/1939728327662870787", "https://x.com/CarlyGriggs13/status/1939728752910774376", "https://x.com/CarlyGriggs13/status/1939729002522190330", "https://x.com/CarlyGriggs13/status/1939729215143714986", "https://x.com/CarlyGriggs13/status/1939729444999979142", "https://x.com/CarlyGriggs13/status/1939729507579306372", "https://x.com/CarlyGriggs13/status/1939729632959353264", "https://x.com/CarlyGriggs13/status/1939729706020229612", "https://x.com/CarlyGriggs13/status/1939729755521040649", "https://x.com/CarlyGriggs13/status/1939729810495778898", "https://x.com/CarlyGriggs13/status/1939729868595560874", "https://x.com/CarlyGriggs13/status/1939729926703165896", "https://x.com/CarlyGriggs13/status/1939731861854724456", "https://x.com/CarlyGriggs13/status/1939732169221398769", "https://x.com/CarlyGriggs13/status/1939732230949003354", "https://x.com/CarlyGriggs13/status/1939732567311491295", "https://x.com/CarlyGriggs13/status/1939732616736890978", "https://x.com/CarlyGriggs13/status/1939732673431323033", "https://x.com/CarlyGriggs13/status/1939736185623949786", "https://x.com/CarlyGriggs13/status/1939736585731547462", "https://x.com/CarlyGriggs13/status/1939736715482006004", "https://x.com/CarlyGriggs13/status/1939737053606158609", "https://x.com/CarlyGriggs13/status/1939737178017235116", "https://x.com/CarlyGriggs13/status/1939737386260349392", "https://x.com/CarlyGriggs13/status/1939741632187756791", "https://x.com/CarlyGriggs13/status/1939744181364089226", "https://x.com/CarlyGriggs13/status/1939744639759659511", "https://x.com/CarlyGriggs13/status/1939750101901353299", "https://x.com/CarlyGriggs13/status/1939750443841716255", "https://x.com/CarlyGriggs13/status/1939751768189280349", "https://x.com/CarlyGriggs13/status/1939752080186491207", "https://x.com/CarlyGriggs13/status/1939752407291842778", "https://x.com/CarlyGriggs13/status/1939752574250336311", "https://x.com/CarlyGriggs13/status/1939754174805168619", "https://x.com/CarlyGriggs13/status/1939755835980411377", "https://x.com/CarlyGriggs13/status/1939756979985293782", "https://x.com/CarlyGriggs13/status/1939759196712706378", "https://x.com/CarlyGriggs13/status/1939759255868870789", "https://x.com/CarlyGriggs13/status/1939759375742062746", "https://x.com/CarlyGriggs13/status/1939761102222430642", "https://x.com/CarlyGriggs13/status/1939761164130410580", "https://x.com/CarlyGriggs13/status/1939762540117975491", "https://x.com/CarlyGriggs13/status/1939762724080132149", "https://x.com/CarlyGriggs13/status/1939762849980522564", "https://x.com/CarlyGriggs13/status/1939763022383452166", "https://x.com/CarlyGriggs13/status/1939763080499691778", "https://x.com/CarlyGriggs13/status/1939763147121766798", "https://x.com/CarlyGriggs13/status/1939763272770609580", "https://x.com/CarlyGriggs13/status/1939763334712332365", "https://x.com/CarlyGriggs13/status/1939763393520341284", "https://x.com/CarlyGriggs13/status/1939763451728986221", "https://x.com/CarlyGriggs13/status/1939763506330341812", "https://x.com/CarlyGriggs13/status/1939763565763690867", "https://x.com/CarlyGriggs13/status/1939763694642372640", "https://x.com/CarlyGriggs13/status/1939768508771893477", "https://x.com/CarlyGriggs13/status/1939769456491995208", "https://x.com/CarlyGriggs13/status/1939773147382751262", "https://x.com/CarlyGriggs13/status/1939806212746568106", "https://x.com/CarlyGriggs13/status/1939808445110141321" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 250, "domain": 201 }, "indicator_count": 485, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68837bfd1e1f57f512edc8e5", "name": "soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload", "description": "", "modified": "2025-07-25T12:43:41.340000", "created": "2025-07-25T12:43:41.340000", "tags": [ "research", "vulnerabilities", "strong", "elf malware", "sha256", "defense evasion", "soco404", "postgresql", "linux", "devnull", "windows malware", "payload", "persistence", "powershell", "grep", "path", "execution", "copy", "kill", "malware", "xmrig", "possible", "impact", "sharepoint", "footer" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#iocs-77" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "URL": 2, "domain": 6, "hostname": 2 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "309 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6882ee699d0263126091241e", "name": "IOC - Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload", "description": "", "modified": "2025-07-25T02:39:37.947000", "created": "2025-07-25T02:39:37.947000", "tags": [ "process-masquerading", "multiplatform", "fake-404-pages", "cryptomining", "cve-2025-24813", "compromised-servers", "postgresql", "persistence", "crypto-scam", "soco404" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Korea, Republic of" ], "malware_families": [ { "id": "Soco404", "display_name": "Soco404", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6881ee43ee57a9877a635012", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 25, "URL": 2, "domain": 6, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "310 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6881acaffcbc5b1e7c7fa881", "name": "Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload.", "description": "Wiz Research has observed a new phase of a malicious cryptomining campaign termed Soco404, which utilizes advanced techniques to exploit vulnerabilities in cloud environments, specifically focusing on misconfigurations in PostgreSQL databases. The campaign deploys malware that targets both Linux and Windows systems by using compromised servers to deliver DLL files and executables. The attackers employ a variety of legitimate utilities, such as certutil, PowerShell's Invoke-WebRequest, and curl, to enhance their chances of successfully downloading and executing malicious binaries like ok.exe in Windows environments. These binaries are often retrieved to public directories, which are easily writable, facilitating their installation.", "modified": "2025-07-24T03:46:55.856000", "created": "2025-07-24T03:46:55.856000", "tags": [ "research", "vulnerabilities", "strong", "elf malware", "sha256", "defense evasion", "soco404", "postgresql", "linux", "devnull", "windows malware", "payload", "persistence", "powershell", "grep", "path", "execution", "copy", "kill", "malware", "xmrig", "possible", "impact", "sharepoint", "footer", "crypto scam", "files", "mining pool", "attacker" ], "references": [ "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 26, "URL": 2, "domain": 6, "hostname": 2 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "311 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hkcapitals.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hkcapitals.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206240.836506 }