{ "type": "URL", "indicator": "http://31.172.71.5:8008", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://31.172.71.5:8008", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4193035677, "indicator": "http://31.172.71.5:8008", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698050bc6e6a312f449dde78", "name": "DynoWiper update: Technical analysis and attribution", "description": "ESET researchers have identified a recent data destruction incident involving a new wiper malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm. Sandworm is notorious for its destructive cyber operations targeting various sectors, including energy, transportation, and government, as exemplified by past attacks such as NotPetya and Olympic Destroyer.\n\nDynoWiper was deployed on December 29, 2025, in the shared directory C:\\inetpub\\pub\\, using executable filenames like schtask.exe and schtask2.exe. Notably, the references to a Visual Studio project path suggest that the malware may have been developed in an environment utilizing the Vagrant tool for managing virtual machines. This indicates that Sandworm possibly tested DynoWiper on virtual machines before unleashing it within the target organization\u2019s network.", "modified": "2026-03-04T07:02:58.010000", "created": "2026-02-02T07:22:36.796000", "tags": [ "sandworm", "strong", "zov wiper", "dynowiper", "ukraine", "eset research", "poland", "eset", "group policy", "december", "industroyer", "industroyer2", "blackenergy", "greyenergy", "wallpaper", "tips", "notpetya", "february", "hermeticwiper", "caddywiper", "doublezero", "arguepatch", "roarbat", "swiftslicer", "april", "first", "execution", "powershell", "shell", "rubeus", "impact", "wiper", "uac\u20110099", "zov", "prestige", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "details", "na fornex", "socks5 server" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine", "Russian Federation", "Pakistan" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null } ], "attack_ids": [ { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy", "Industrial", "Government", "Logistics", "Transportation", "Media", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/", "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf", "IOCs.2026.2.csv", "IOCs.csv" ], "related": { "alienvault": { "adversary": [ "Static Tundra" ], "malware_families": [ "Impacket", "Lazywiper", "Rubeus", "Dynowiper" ], "industries": [ "Energy", "Manufacturing" ], "unique_indicators": 47 }, "other": { "adversary": [ "Static Tundra", "Sandworm", "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer" ], "malware_families": [ "Impacket", "Lazywiper", "Rubeus", "Dynowiper" ], "industries": [ "Financial", "Energy", "Government", "Media", "Transportation", "Industrial", "Telecommunications", "Manufacturing", "Logistics" ], "unique_indicators": 1302 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/31.172.71.5", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698050bc6e6a312f449dde78", "name": "DynoWiper update: Technical analysis and attribution", "description": "ESET researchers have identified a recent data destruction incident involving a new wiper malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm. Sandworm is notorious for its destructive cyber operations targeting various sectors, including energy, transportation, and government, as exemplified by past attacks such as NotPetya and Olympic Destroyer.\n\nDynoWiper was deployed on December 29, 2025, in the shared directory C:\\inetpub\\pub\\, using executable filenames like schtask.exe and schtask2.exe. Notably, the references to a Visual Studio project path suggest that the malware may have been developed in an environment utilizing the Vagrant tool for managing virtual machines. This indicates that Sandworm possibly tested DynoWiper on virtual machines before unleashing it within the target organization\u2019s network.", "modified": "2026-03-04T07:02:58.010000", "created": "2026-02-02T07:22:36.796000", "tags": [ "sandworm", "strong", "zov wiper", "dynowiper", "ukraine", "eset research", "poland", "eset", "group policy", "december", "industroyer", "industroyer2", "blackenergy", "greyenergy", "wallpaper", "tips", "notpetya", "february", "hermeticwiper", "caddywiper", "doublezero", "arguepatch", "roarbat", "swiftslicer", "april", "first", "execution", "powershell", "shell", "rubeus", "impact", "wiper", "uac\u20110099", "zov", "prestige", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "details", "na fornex", "socks5 server" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine", "Russian Federation", "Pakistan" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null } ], "attack_ids": [ { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy", "Industrial", "Government", "Logistics", "Transportation", "Media", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://31.172.71.5:8008", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://31.172.71.5:8008", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780165570.378314 }