{ "type": "Domain", "indicator": "hkinuxb3bz.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hkinuxb3bz.top", "alexa": "http://www.alexa.com/siteinfo/hkinuxb3bz.top", "indicator": "hkinuxb3bz.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4010017045, "indicator": "hkinuxb3bz.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "681113e0e23f344e6f364fb1", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-29T18:01:04.133000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678e2ed0691dbaf790bf355c", "name": "MintsLoader: StealC and BOINC Delivery", "description": "The eSentire Threat Response Unit identified a campaign involving MintsLoader, a PowerShell-based malware loader, delivering payloads like Stealc and BOINC client. MintsLoader uses a Domain Generation Algorithm and anti-VM techniques to evade detection. The infection process begins with a spam email link downloading a JScript file, which then executes PowerShell commands to retrieve and execute the malware stages. StealC, an information stealer, is delivered as the final payload, targeting sensitive data from browsers, applications, and crypto-wallets. The campaign affected organizations in the US and Europe, primarily in the Electricity, Oil & Gas, and Legal Services industries.", "modified": "2025-02-19T11:00:24.601000", "created": "2025-01-20T11:09:04.825000", "tags": [ "mintsloader", "boinc", "information stealer", "stealc" ], "references": [ "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Energy", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 57, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "hostname": 1 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818de9f2cd48e06f1507998", "name": "MintsLoader", "description": "MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download\ncampaigns as early as 2024. The loader commonly deploys second-stage payloads such as\nGhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing)\nclient. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and\nPowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain\ngeneration algorithm (DGA), and HTTP-based command-and-control (C2) communications.", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-05T15:51:59.660000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c57c4b9f1412274b9a51d", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-08T07:05:40.216000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6818de9f2cd48e06f1507998", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d952c8bca2dc530ab73cb", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-09T05:39:56.696000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "681c57c4b9f1412274b9a51d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811c44c0d8cde7d41dfc3f8", "name": "IOC&TTP - Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "MintsLoader \u662f\u4e00\u79cd\u81ea 2024 \u5e74\u8d77\u5728\u9493\u9c7c\u90ae\u4ef6\u548c\u201c\u5047\u66f4\u65b0\u201d\u9a71\u52a8\u4e0b\u8f7d\u6d3b\u52a8\u4e2d\u88ab\u5e7f\u6cdb\u6295\u653e\u7684\u591a\u9636\u6bb5\u6076\u610f\u52a0\u8f7d\u5668\u3002\u5b83\u5148\u4ee5\u9ad8\u5ea6\u6df7\u6dc6\u7684 JavaScript \u548c PowerShell \u811a\u672c\u4e3a\u8f7d\u4f53\uff0c\u901a\u8fc7\u6c99\u7bb1/\u865a\u62df\u673a\u9003\u9038\u4e0e\u57fa\u4e8e\u65e5\u671f\u7684 DGA \u57df\u540d\u9690\u85cf C2 \u57fa\u7840\u8bbe\u65bd\uff0c\u968f\u540e\u4e0b\u53d1\u4e8c\u9636\u6bb5\u6709\u6548\u8f7d\u8377\uff08GhostWeaver\u3001StealC\u3001\u7ecf\u4fee\u6539\u7684 BOINC \u5ba2\u6237\u7aef\u7b49\uff09\u3002\u76ee\u524d\u5df2\u77e5\u7684\u6295\u653e\u6e20\u9053\u5305\u62ec TAG-124 \uff08LandUpdate808\uff09\u9488\u5bf9\u5de5\u4e1a\u3001\u80fd\u6e90\u53ca\u6cd5\u5f8b\u884c\u4e1a\u7684\u9c7c\u53c9\u5f0f\u90ae\u4ef6\u3001SocGholish\uff08FakeUpdates\uff09\u7be1\u6539\u7f51\u7ad9\u7684\u4f2a\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u4ee5\u53ca\u5229\u7528\u610f\u5927\u5229 PEC \u8ba4\u8bc1\u90ae\u7bb1\u6295\u9012\u7684\u201c\u53d1\u7968\u201d\u4e3b\u9898\u90ae\u4ef6\u3002\u7531\u4e8e\u6301\u7eed\u4f7f\u7528\u4ee3\u7801\u6df7\u6dc6\u3001\u73af\u5883\u63a2\u6d4b\u4e0e\u52a8\u6001\u57fa\u7840\u8bbe\u65bd\uff0cMintsLoader \u7ed9\u9759\u6001/\u884c\u4e3a\u68c0\u6d4b\u5e26\u6765\u6311\u6218\uff0c\u4f46\u5176\u57fa\u4e8e HTTP \u7684\u901a\u4fe1\u4e5f\u4e3a\u9632\u5fa1\u65b9\u63d0\u4f9b\u4e86\u53ef\u76d1\u6d4b\u9762\u3002", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-30T06:33:48.612000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a0bba01c2436ac892d3c", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "", "modified": "2025-05-29T18:05:10.830000", "created": "2025-05-12T07:18:19.466000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67983e13411d9f461113e525", "name": "Malware Campaign Targets Industries with MintsLoader Payloads", "description": "Rsettahome.com has been named as the world's most popular social media site for people with disabilities and learning disabilities, but what does it mean for those who have not yet seen it?", "modified": "2025-02-27T02:04:59.434000", "created": "2025-01-28T02:16:51.460000", "tags": [ "hxxp", "hxxps" ], "references": [ "January 28th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #6243 - Malware Campaign Targets Industries with MintsLoader Payloads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 57, "hostname": 1 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790ada3d43b960e26253e98", "name": "MintsLoader: StealC and BOINC Delivery", "description": "", "modified": "2025-02-19T11:00:24.601000", "created": "2025-01-22T08:34:43.015000", "tags": [ "mintsloader", "boinc", "information stealer", "stealc" ], "references": [ "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Energy", "Legal" ], "TLP": "white", "cloned_from": "678e2ed0691dbaf790bf355c", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 57, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "hostname": 1 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67703f9726ee81bc3afffe2e", "name": "TA582 Domains", "description": "TA582 Domains\nhttps://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "modified": "2025-01-16T04:24:12.096000", "created": "2024-12-28T18:12:39.703000", "tags": [], "references": [ "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/" ], "public": 1, "adversary": "TA582", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 143, "hostname": 2 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "NEW.txt", "MALLOX RANSOMWARE", "FatalRAT", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "PXA Stealer", "BrazenBamboo", "Hundreds of fake Reddit sites push Lumma Stealer malware", "Cloud Atlas seen using a new tool in its attacks", "horns-hooves", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "AsyncRAT Reloaded", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "APT-K-47", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "Python NodeStealer", "WolfsBane Backdoor", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Gh0stGambit", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "DarkGate", "MintsLoader_Stealc", "The Return of PlugX Malware with Fresh Tricks", "Helldown Ransomware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Visual Studio Code Remote tunnels", "Avast-Anti-Root-KIt", "clickfix-tactic", "Sock5Systemz-PROXY-AM", "play ransomware", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "BellaCpp", "ACR Stealer", "The New Ransomware Menace Vgod Gains Momentum", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "HotPage.exe (malware)", "Bitter APT", "Ransomware-Lockbit3-IOCs.csv", "https://threatfox.abuse.ch/export/csv/recent/", "SpyGlace", "MEKOTIO BANKING TROJAN", "WezRat Malware", "Weaponized Software Targeting Chinese Organizations", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "Glove-Stealer", "NetSupport RAT and BurnsRAT", "LockBit Ransomware Attack Leveraging Cobalt Strike", "ELDORADO RANSOMWARE", "romcom-exploits-firefox-and-windows", "SystemBC RAT Poses New Risks to Linux System", "HawkEye Malware", "https://malasada.tech/silent-push-to-find-smartapesg-landupdate808-and-ta582-infra/", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "SecTopRAT", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "RansomHub Affiliate leverages Python-based backdoor", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "PyPI-AIOCPA", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "MUT-1244-GitHub", "LegionLoader Malware Expands Global Reach", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "APT36", "Bumblebee Malware", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Fake game sites lead to information stealers", "GamaCopy APT Group Mimicking GamaRedon", "Rockstar-Phishing", "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "Akira Ransomware", "Fake Discount Sites Exploit Black Friday", "babbleloader", "UAC-0185 attacks warned by CERT-UA", "Rspack_Compromised_Packages", "Microsoft Advertisers Phished via Malicious Google Ads", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phobos ransomware", "CloudScout_ Evasive Panda scouting cloud services", "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery", "Bootkitty", "Christmas-Themed LNK Files Used for Malware Delivery", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "January 28th, 2025 - CryptoGen Cyber Threat Intelligence Advisory #6243 - Malware Campaign Targets Industries with MintsLoader Payloads", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "solana-backdoor", "Advanced Evasion Techniques Used by NonEuclid RAT", "Threat Surge as Lumma Stealer Expands Its Reach", "OtterCookie used by Contagious Interview", "Qilin Ransomware", "Winos4.0 RAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "Salt Typhoon Target U.S. Telecom Networks", "Remcos RAT", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Malware.pdf", "From Stealers to Ransomware PureCrypter Delivers It All", "Demodex rootkit", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "bootkitty(logofail)", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "Shadowroot Ransomware", "SmokeLoader", "MirrorFace Campain", "Espionage Campaign Targeting South Asian Entities", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "NOOPDOOR Malware", "Stealers on the Rise", "U.S. Organization in China Targeted by Attackers", "BugSleep Malware", "TAG-100", "RustyStealer and New Ymir Ransomware", "Snake Keylogger" ], "related": { "alienvault": { "adversary": [ "TAG-124" ], "malware_families": [ "Mintsloader", "Ghostweaver", "Boinc", "Stealc", "Asyncrat" ], "industries": [ "Energy", "Manufacturing", "Legal" ] }, "other": { "adversary": [ "TAG-124", "TA582" ], "malware_families": [ "Mintsloader", "Ghostweaver", "Msi", "Boinc", "Mekotio banking", "Stealc", "Trojanspy", "Vant", "Invisibleferret", "Asyncrat" ], "industries": [ "Energy", "Manufacturing", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "681113e0e23f344e6f364fb1", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-29T18:01:04.133000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678e2ed0691dbaf790bf355c", "name": "MintsLoader: StealC and BOINC Delivery", "description": "The eSentire Threat Response Unit identified a campaign involving MintsLoader, a PowerShell-based malware loader, delivering payloads like Stealc and BOINC client. MintsLoader uses a Domain Generation Algorithm and anti-VM techniques to evade detection. The infection process begins with a spam email link downloading a JScript file, which then executes PowerShell commands to retrieve and execute the malware stages. StealC, an information stealer, is delivered as the final payload, targeting sensitive data from browsers, applications, and crypto-wallets. The campaign affected organizations in the US and Europe, primarily in the Electricity, Oil & Gas, and Legal Services industries.", "modified": "2025-02-19T11:00:24.601000", "created": "2025-01-20T11:09:04.825000", "tags": [ "mintsloader", "boinc", "information stealer", "stealc" ], "references": [ "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "BOINC", "display_name": "BOINC", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Energy", "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 57, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "hostname": 1 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818de9f2cd48e06f1507998", "name": "MintsLoader", "description": "MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download\ncampaigns as early as 2024. The loader commonly deploys second-stage payloads such as\nGhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing)\nclient. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and\nPowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain\ngeneration algorithm (DGA), and HTTP-based command-and-control (C2) communications.", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-05T15:51:59.660000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681c57c4b9f1412274b9a51d", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-08T07:05:40.216000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6818de9f2cd48e06f1507998", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d952c8bca2dc530ab73cb", "name": "Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "", "modified": "2025-06-04T15:04:52.775000", "created": "2025-05-09T05:39:56.696000", "tags": [], "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "681c57c4b9f1412274b9a51d", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 140, "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 204, "domain": 89 }, "indicator_count": 585, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811c44c0d8cde7d41dfc3f8", "name": "IOC&TTP - Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting", "description": "MintsLoader \u662f\u4e00\u79cd\u81ea 2024 \u5e74\u8d77\u5728\u9493\u9c7c\u90ae\u4ef6\u548c\u201c\u5047\u66f4\u65b0\u201d\u9a71\u52a8\u4e0b\u8f7d\u6d3b\u52a8\u4e2d\u88ab\u5e7f\u6cdb\u6295\u653e\u7684\u591a\u9636\u6bb5\u6076\u610f\u52a0\u8f7d\u5668\u3002\u5b83\u5148\u4ee5\u9ad8\u5ea6\u6df7\u6dc6\u7684 JavaScript \u548c PowerShell \u811a\u672c\u4e3a\u8f7d\u4f53\uff0c\u901a\u8fc7\u6c99\u7bb1/\u865a\u62df\u673a\u9003\u9038\u4e0e\u57fa\u4e8e\u65e5\u671f\u7684 DGA \u57df\u540d\u9690\u85cf C2 \u57fa\u7840\u8bbe\u65bd\uff0c\u968f\u540e\u4e0b\u53d1\u4e8c\u9636\u6bb5\u6709\u6548\u8f7d\u8377\uff08GhostWeaver\u3001StealC\u3001\u7ecf\u4fee\u6539\u7684 BOINC \u5ba2\u6237\u7aef\u7b49\uff09\u3002\u76ee\u524d\u5df2\u77e5\u7684\u6295\u653e\u6e20\u9053\u5305\u62ec TAG-124 \uff08LandUpdate808\uff09\u9488\u5bf9\u5de5\u4e1a\u3001\u80fd\u6e90\u53ca\u6cd5\u5f8b\u884c\u4e1a\u7684\u9c7c\u53c9\u5f0f\u90ae\u4ef6\u3001SocGholish\uff08FakeUpdates\uff09\u7be1\u6539\u7f51\u7ad9\u7684\u4f2a\u6d4f\u89c8\u5668\u66f4\u65b0\uff0c\u4ee5\u53ca\u5229\u7528\u610f\u5927\u5229 PEC \u8ba4\u8bc1\u90ae\u7bb1\u6295\u9012\u7684\u201c\u53d1\u7968\u201d\u4e3b\u9898\u90ae\u4ef6\u3002\u7531\u4e8e\u6301\u7eed\u4f7f\u7528\u4ee3\u7801\u6df7\u6dc6\u3001\u73af\u5883\u63a2\u6d4b\u4e0e\u52a8\u6001\u57fa\u7840\u8bbe\u65bd\uff0cMintsLoader \u7ed9\u9759\u6001/\u884c\u4e3a\u68c0\u6d4b\u5e26\u6765\u6311\u6218\uff0c\u4f46\u5176\u57fa\u4e8e HTTP \u7684\u901a\u4fe1\u4e5f\u4e3a\u9632\u5fa1\u65b9\u63d0\u4f9b\u4e86\u53ef\u76d1\u6d4b\u9762\u3002", "modified": "2025-05-29T18:05:10.830000", "created": "2025-04-30T06:33:48.612000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821a0bba01c2436ac892d3c", "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks", "description": "", "modified": "2025-05-29T18:05:10.830000", "created": "2025-05-12T07:18:19.466000", "tags": [ "asyncrat", "boinc", "tag-124", "socgholish", "stealc", "multi-stage loader", "phishing", "ghostweaver", "mintsloader", "drive-by download" ], "references": [ "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg", "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting" ], "public": 1, "adversary": "TAG-124", "targeted_countries": [ "Italy" ], "malware_families": [ { "id": "MintsLoader", "display_name": "MintsLoader", "target": null }, { "id": "GhostWeaver", "display_name": "GhostWeaver", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Energy", "Legal", "Manufacturing" ], "TLP": "white", "cloned_from": "681113e0e23f344e6f364fb1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 63, "FileHash-SHA1": 63, "FileHash-SHA256": 204, "URL": 138, "domain": 88 }, "indicator_count": 556, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hkinuxb3bz.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hkinuxb3bz.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185090.2368438 }