{ "type": "URL", "indicator": "http://adobefileshare.com/getfilename", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://adobefileshare.com/getfilename", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4157019680, "indicator": "http://adobefileshare.com/getfilename", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69329279adf6aee08f7d6c20", "name": "Analysis of the new Trojan StreamSpy using WebSocket, which is called Mahayana (APT-Q-36).", "description": "The analysis of the StreamSpy Trojan, also known as Mahayana and attributed to the APT-Q-36 group, identifies a sophisticated piece of malware designed for cyber espionage. This group, often referred to as Patchwork, has a history of operations targeting various sectors, particularly in Asia since 2009. The StreamSpy Trojan utilizes a hybrid communication approach, leveraging WebSocket in conjunction with HTTP protocols to establish connections with its command and control (C2) servers. This method enhances its ability to transmit commands and receive operational results while obscuring some of its traffic through the established connection.", "modified": "2025-12-05T08:06:17.655000", "created": "2025-12-05T08:06:17.655000", "tags": [ "apt \u653b\u51fb", "\u6728\u9a6c", "streamspy", "prefix", "zipname", "spyder", "websocket", "http", "auth", "fidus software", "shellexecuteexw", "c0v3rt", "persistence", "stream", "maha grass", "spyder variant", "belly worm", "ioc md5", "belly" ], "references": [ "https://zhuanlan.zhihu.com/p/1979499278541017681" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "military", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 18, "domain": 7, "hostname": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69303ff3c0137a735bf43b91", "name": "Analysis of StreamSpy, a new Trojan horse utilizing WebSocket in Mahabusa (APT-Q-36)", "description": "The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations.\n\nStreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.", "modified": "2025-12-03T13:49:39.511000", "created": "2025-12-03T13:49:39.511000", "tags": [ "streamspy", "websocket", "spyder", "http", "prefix", "zipname", "auth", "c0v3rt", "fidus", "https", "persistence", "stream", "shell", "powershell", "donot", "alpha", "galaxy", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 22, "domain": 6, "hostname": 4 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692fd63fde28839964296c8b", "name": "IOC - \u6469\u8bc3\u8349\uff08APT-Q-36\uff09\u5229\u7528 WebSocket \u7684\u65b0\u6728\u9a6c StreamSpy \u5206\u6790", "description": "\u6469\u8bc3\u8349\uff0c\u53c8\u540d Patchwork\u3001\u767d\u8c61\u3001Hangover\u3001Dropping Elephant \u7b49\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-36\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u5176\u6700\u65e9\u653b\u51fb\u6d3b\u52a8\u53ef\u8ffd\u6eaf\u5230 2009 \u5e74 11 \u6708\uff0c\u5df2\u6301\u7eed\u6d3b\u8dc3 10 \u4f59\u5e74\u3002\u8be5\u7ec4\u7ec7\u4e3b\u8981\u9488\u5bf9\u4e9a\u6d32\u5730\u533a\u7684\u56fd\u5bb6\u8fdb\u884c\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\uff0c\u653b\u51fb\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u519b\u4e8b\u3001\u7535\u529b\u3001\u5de5\u4e1a\u3001\u79d1\u7814\u6559\u80b2\u3001\u5916\u4ea4\u548c\u7ecf\u6d4e\u7b49\u9886\u57df\u7684\u7ec4\u7ec7\u673a\u6784\u3002", "modified": "2025-12-03T06:18:39.254000", "created": "2025-12-03T06:18:39.254000", "tags": [ "streamspy", "spyder" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 15, "domain": 7, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://zhuanlan.zhihu.com/p/1979499278541017681", "https://www.ctfiot.com/284804.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer" ], "malware_families": [], "industries": [ "Military", "Education", "Government" ], "unique_indicators": 1015 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/adobefileshare.com", "whois": "http://whois.domaintools.com/adobefileshare.com", "domain": "adobefileshare.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69329279adf6aee08f7d6c20", "name": "Analysis of the new Trojan StreamSpy using WebSocket, which is called Mahayana (APT-Q-36).", "description": "The analysis of the StreamSpy Trojan, also known as Mahayana and attributed to the APT-Q-36 group, identifies a sophisticated piece of malware designed for cyber espionage. This group, often referred to as Patchwork, has a history of operations targeting various sectors, particularly in Asia since 2009. The StreamSpy Trojan utilizes a hybrid communication approach, leveraging WebSocket in conjunction with HTTP protocols to establish connections with its command and control (C2) servers. This method enhances its ability to transmit commands and receive operational results while obscuring some of its traffic through the established connection.", "modified": "2025-12-05T08:06:17.655000", "created": "2025-12-05T08:06:17.655000", "tags": [ "apt \u653b\u51fb", "\u6728\u9a6c", "streamspy", "prefix", "zipname", "spyder", "websocket", "http", "auth", "fidus software", "shellexecuteexw", "c0v3rt", "persistence", "stream", "maha grass", "spyder variant", "belly worm", "ioc md5", "belly" ], "references": [ "https://zhuanlan.zhihu.com/p/1979499278541017681" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "military", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 18, "domain": 7, "hostname": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69303ff3c0137a735bf43b91", "name": "Analysis of StreamSpy, a new Trojan horse utilizing WebSocket in Mahabusa (APT-Q-36)", "description": "The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations.\n\nStreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.", "modified": "2025-12-03T13:49:39.511000", "created": "2025-12-03T13:49:39.511000", "tags": [ "streamspy", "websocket", "spyder", "http", "prefix", "zipname", "auth", "c0v3rt", "fidus", "https", "persistence", "stream", "shell", "powershell", "donot", "alpha", "galaxy", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 22, "domain": 6, "hostname": 4 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 172, "modified_text": "141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692fd63fde28839964296c8b", "name": "IOC - \u6469\u8bc3\u8349\uff08APT-Q-36\uff09\u5229\u7528 WebSocket \u7684\u65b0\u6728\u9a6c StreamSpy \u5206\u6790", "description": "\u6469\u8bc3\u8349\uff0c\u53c8\u540d Patchwork\u3001\u767d\u8c61\u3001Hangover\u3001Dropping Elephant \u7b49\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-36\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u5176\u6700\u65e9\u653b\u51fb\u6d3b\u52a8\u53ef\u8ffd\u6eaf\u5230 2009 \u5e74 11 \u6708\uff0c\u5df2\u6301\u7eed\u6d3b\u8dc3 10 \u4f59\u5e74\u3002\u8be5\u7ec4\u7ec7\u4e3b\u8981\u9488\u5bf9\u4e9a\u6d32\u5730\u533a\u7684\u56fd\u5bb6\u8fdb\u884c\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\uff0c\u653b\u51fb\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u519b\u4e8b\u3001\u7535\u529b\u3001\u5de5\u4e1a\u3001\u79d1\u7814\u6559\u80b2\u3001\u5916\u4ea4\u548c\u7ecf\u6d4e\u7b49\u9886\u57df\u7684\u7ec4\u7ec7\u673a\u6784\u3002", "modified": "2025-12-03T06:18:39.254000", "created": "2025-12-03T06:18:39.254000", "tags": [ "streamspy", "spyder" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 15, "domain": 7, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://adobefileshare.com/getfilename", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://adobefileshare.com/getfilename", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1777018341.0814674 }