{ "type": "URL", "indicator": "http://check.nid-log.com/api/bootservice.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://check.nid-log.com/api/bootservice.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4305886740, "indicator": "http://check.nid-log.com/api/bootservice.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69dd07742196e34ee1615b73", "name": "Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "description": "On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with \"Million OK !!!!\" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-13T15:10:44.257000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386924, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e3a6f17bc9128b68fb5957", "name": "Botnet_C2 | Apr 19, 2026", "description": "Botnet_C2 indicators. Date: Apr 19, 2026. Total: 1746 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T15:23:50.476000", "created": "2026-04-18T15:44:49.847000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 413, "URL": 204, "domain": 312 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e253c29098f4b568a8f2a7", "name": "Botnet_C2 | Apr 18, 2026", "description": "Botnet_C2 indicators. Date: Apr 18, 2026. Total: 1799 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T15:03:02.219000", "created": "2026-04-17T15:37:38.047000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 320, "hostname": 434, "URL": 197 }, "indicator_count": 951, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e102aa109e81866b3e89dc", "name": "Botnet_C2 | Apr 17, 2026", "description": "Botnet_C2 indicators. Date: Apr 17, 2026. Total: 1696 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T15:03:05.310000", "created": "2026-04-16T15:39:22.476000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 441, "URL": 167, "domain": 304 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e102c2d784cd9a66a60376", "name": "Botnet_C2 | Apr 17, 2026", "description": "Botnet_C2 indicators. Date: Apr 17, 2026. Total: 1696 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T15:03:05.310000", "created": "2026-04-16T15:39:46.773000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 441, "URL": 167, "domain": 304 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dfb1608c8bc5c2e7810e3d", "name": "Botnet_C2 | Apr 16, 2026", "description": "Botnet_C2 indicators. Date: Apr 16, 2026. Total: 1778 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T15:02:07.040000", "created": "2026-04-15T15:40:16.705000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 165, "domain": 300, "hostname": 525 }, "indicator_count": 990, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de5f155d2e21a02c2a81b0", "name": "Botnet_C2 | Apr 15, 2026", "description": "Botnet_C2 indicators. Date: Apr 15, 2026. Total: 1180 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T15:08:51.031000", "created": "2026-04-14T15:36:53.655000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 368, "URL": 147, "domain": 188 }, "indicator_count": 703, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dd71c832212600957dc6b4", "name": "Botnet_C2 | Apr 14, 2026", "description": "Botnet_C2 indicators. Date: Apr 14, 2026. Total: 1107 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T22:02:12.902000", "created": "2026-04-13T22:44:24.697000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 373, "domain": 168, "URL": 147 }, "indicator_count": 688, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dd3c516039ea7996cd8aeb", "name": "Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "description": "On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with \"Million OK !!!!\" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-13T18:56:17.567000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "green", "cloned_from": "69dd07742196e34ee1615b73", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddc274967bab83c0b8258b", "name": "Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "description": "", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-14T04:28:36.564000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": "69dd07742196e34ee1615b73", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddcab2615aa2739bbf740d", "name": "Live C2 Dump Recovering Every Stage clone alien vault", "description": "", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-14T05:03:46.587000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": "69dd07742196e34ee1615b73", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddcf8d11ca257ed1ea316d", "name": "Report Spam Author avatar Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger CREATED 55 MINUTES AGO by Tr1sa111 Public TLP: White", "description": "", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-14T05:24:29.643000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": "69ddc274967bab83c0b8258b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ddd00d44fbd9fcb6521ad5", "name": "Report Spam Author avatar Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger CREATED 55 MINUTES AGO by Tr1sa111 Public TLP: White", "description": "", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-14T05:26:37.606000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": "69ddc274967bab83c0b8258b", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dd02207dcb132d4f8a9167", "name": "Botnet_C2 | Apr 14, 2026", "description": "Botnet_C2 indicators. Date: Apr 14, 2026. Total: 1081 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:07:40.996000", "created": "2026-04-13T14:48:00.542000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 140, "URL": 151, "hostname": 377 }, "indicator_count": 668, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dbb12da53adedfcde420ac", "name": "Botnet_C2 | Apr 13, 2026", "description": "Botnet_C2 indicators. Date: Apr 13, 2026. Total: 1049 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:28:43.689000", "created": "2026-04-12T14:50:21.257000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 164, "domain": 143, "hostname": 345 }, "indicator_count": 652, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery", "https://ltna.com.au/cyber", "IOCs.April.pdf" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [], "industries": [], "unique_indicators": 47 }, "other": { "adversary": [ "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "Kimsuky" ], "malware_families": [], "industries": [], "unique_indicators": 2384 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/nid-log.com", "whois": "http://whois.domaintools.com/nid-log.com", "domain": "nid-log.com", "hostname": "check.nid-log.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69dd07742196e34ee1615b73", "name": "Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "description": "On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with \"Million OK !!!!\" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-13T15:10:44.257000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 386924, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e3a6f17bc9128b68fb5957", "name": "Botnet_C2 | Apr 19, 2026", "description": "Botnet_C2 indicators. Date: Apr 19, 2026. Total: 1746 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T15:23:50.476000", "created": "2026-04-18T15:44:49.847000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 413, "URL": 204, "domain": 312 }, "indicator_count": 929, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e253c29098f4b568a8f2a7", "name": "Botnet_C2 | Apr 18, 2026", "description": "Botnet_C2 indicators. Date: Apr 18, 2026. Total: 1799 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T15:03:02.219000", "created": "2026-04-17T15:37:38.047000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 320, "hostname": 434, "URL": 197 }, "indicator_count": 951, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e102aa109e81866b3e89dc", "name": "Botnet_C2 | Apr 17, 2026", "description": "Botnet_C2 indicators. Date: Apr 17, 2026. Total: 1696 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T15:03:05.310000", "created": "2026-04-16T15:39:22.476000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 441, "URL": 167, "domain": 304 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e102c2d784cd9a66a60376", "name": "Botnet_C2 | Apr 17, 2026", "description": "Botnet_C2 indicators. Date: Apr 17, 2026. Total: 1696 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T15:03:05.310000", "created": "2026-04-16T15:39:46.773000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 441, "URL": 167, "domain": 304 }, "indicator_count": 912, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dfb1608c8bc5c2e7810e3d", "name": "Botnet_C2 | Apr 16, 2026", "description": "Botnet_C2 indicators. Date: Apr 16, 2026. Total: 1778 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T15:02:07.040000", "created": "2026-04-15T15:40:16.705000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 165, "domain": 300, "hostname": 525 }, "indicator_count": 990, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69de5f155d2e21a02c2a81b0", "name": "Botnet_C2 | Apr 15, 2026", "description": "Botnet_C2 indicators. Date: Apr 15, 2026. Total: 1180 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T15:08:51.031000", "created": "2026-04-14T15:36:53.655000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 368, "URL": 147, "domain": 188 }, "indicator_count": 703, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dd71c832212600957dc6b4", "name": "Botnet_C2 | Apr 14, 2026", "description": "Botnet_C2 indicators. Date: Apr 14, 2026. Total: 1107 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T22:02:12.902000", "created": "2026-04-13T22:44:24.697000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 373, "domain": 168, "URL": 147 }, "indicator_count": 688, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dd3c516039ea7996cd8aeb", "name": "Live C2 Dump Recovering Every Stage of the Kill Chain: CHM Dropper, VBScript Stager, PowerShell Keylogger", "description": "On April 11, 2026, researchers analyzed a CHM file (api_reference.chm) tagged as Kimsuky that initiated a three-stage attack chain. The C2 server at check[.]nid-log[.]com had directory listing enabled, allowing recovery of complete source code for all payload stages: a 6,338-byte VBScript performing system reconnaissance and establishing persistence via scheduled task, a 449-byte VBScript bridge to PowerShell, and a 6,234-byte PowerShell keylogger with clipboard monitoring and timed exfiltration. The infrastructure included 79+ domains across 5 C2 IPs spanning Korean VPS providers. The server responded with \"Million OK !!!!\" signature, matching previously documented Kimsuky infrastructure while showing upgraded Apache/PHP stack. The operation targeted Korean Naver users through credential phishing and tax authority impersonation, with infrastructure linked to previously documented Kimsuky campaigns via shared DAOU Technology subnets.", "modified": "2026-05-13T15:34:02.574000", "created": "2026-04-13T18:56:17.567000", "tags": [ "apt43", "korean targeting", "chm dropper", "vbscript stager", "naver phishing", "credential harvesting", "dprk", "powershell keylogger" ], "references": [ "https://intel.breakglass.tech/post/kimsuky-chm-nidlog-c2-dump-full-payload-recovery" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" } ], "industries": [], "TLP": "green", "cloned_from": "69dd07742196e34ee1615b73", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "YARA": 1, "domain": 4, "hostname": 12 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://check.nid-log.com/api/bootservice.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://check.nid-log.com/api/bootservice.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780418058.7222962 }