{ "type": "URL", "indicator": "http://dltruek.com/test.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://dltruek.com/test.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4227419906, "indicator": "http://dltruek.com/test.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69a163c992e9afc70efc55d7", "name": "Botnet Trojan delivered through ClickFix and EtherHiding", "description": "A sophisticated phishing campaign impersonating Tesseract OCR was discovered, utilizing typosquatting and ClickFix techniques. The attack chain, named OCRFix, employed multi-stage malware deployments with heavy obfuscation and defense evasion techniques, including EtherHiding. The campaign used BNB Smart Chain TestNet to hide C2 domains through smart contracts. The malware delivery process involved three stages: a loader, a secondary loader for persistence, and a bot listener. The final payload connected to a bot control panel, allowing attackers to manage infected hosts and deploy additional malware. The campaign demonstrated a combination of simple initial access methods with complex delivery chains, highlighting the ongoing effectiveness of techniques like ClickFix and the importance of robust phishing defenses.", "modified": "2026-02-27T09:46:06.879000", "created": "2026-02-27T09:28:41.886000", "tags": [ "ocrfix", "etherhiding", "typosquatting", "obfuscation", "botnet", "multi-stage", "phishing", "defense evasion", "bnb smart chain", "clickfix" ], "references": [ "https://www.cyjax.com/resources/blog/ocrfix-botnet-trojan-delivered-through-clickfix-and-etherhiding" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OCRFix", "display_name": "OCRFix", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.002", "name": "Disable Windows Event Logging", "display_name": "T1562.002 - Disable Windows Event Logging" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 4, "URL": 3, "domain": 8, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386753, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a04928b5f1c2b7aa532d23", "name": "EbeeFeb2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:22:48.398000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 188, "FileHash-SHA1": 106, "FileHash-SHA256": 198, "URL": 38, "domain": 161, "email": 3, "hostname": 222 }, "indicator_count": 916, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a757a872a0ab148da31e83", "name": "Botnet Trojan delivered through ClickFix and EtherHiding", "description": "", "modified": "2026-03-03T21:50:32.003000", "created": "2026-03-03T21:50:32.003000", "tags": [ "ocrfix", "etherhiding", "typosquatting", "obfuscation", "botnet", "multi-stage", "phishing", "defense evasion", "bnb smart chain", "clickfix" ], "references": [ "https://www.cyjax.com/resources/blog/ocrfix-botnet-trojan-delivered-through-clickfix-and-etherhiding" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OCRFix", "display_name": "OCRFix", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.002", "name": "Disable Windows Event Logging", "display_name": "T1562.002 - Disable Windows Event Logging" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69a163c992e9afc70efc55d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 4, "URL": 3, "domain": 8, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://www.cyjax.com/resources/blog/ocrfix-botnet-trojan-delivered-through-clickfix-and-etherhiding" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Ocrfix" ], "industries": [], "unique_indicators": 25 }, "other": { "adversary": [ "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer" ], "malware_families": [ "Ocrfix" ], "industries": [], "unique_indicators": 987 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dltruek.com", "whois": "http://whois.domaintools.com/dltruek.com", "domain": "dltruek.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69a163c992e9afc70efc55d7", "name": "Botnet Trojan delivered through ClickFix and EtherHiding", "description": "A sophisticated phishing campaign impersonating Tesseract OCR was discovered, utilizing typosquatting and ClickFix techniques. The attack chain, named OCRFix, employed multi-stage malware deployments with heavy obfuscation and defense evasion techniques, including EtherHiding. The campaign used BNB Smart Chain TestNet to hide C2 domains through smart contracts. The malware delivery process involved three stages: a loader, a secondary loader for persistence, and a bot listener. The final payload connected to a bot control panel, allowing attackers to manage infected hosts and deploy additional malware. The campaign demonstrated a combination of simple initial access methods with complex delivery chains, highlighting the ongoing effectiveness of techniques like ClickFix and the importance of robust phishing defenses.", "modified": "2026-02-27T09:46:06.879000", "created": "2026-02-27T09:28:41.886000", "tags": [ "ocrfix", "etherhiding", "typosquatting", "obfuscation", "botnet", "multi-stage", "phishing", "defense evasion", "bnb smart chain", "clickfix" ], "references": [ "https://www.cyjax.com/resources/blog/ocrfix-botnet-trojan-delivered-through-clickfix-and-etherhiding" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OCRFix", "display_name": "OCRFix", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.002", "name": "Disable Windows Event Logging", "display_name": "T1562.002 - Disable Windows Event Logging" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 4, "URL": 3, "domain": 8, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386753, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a04928b5f1c2b7aa532d23", "name": "EbeeFeb2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:22:48.398000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "MuddyWater, Diesel Vortex, Delivering DEERSTEALER Infostealer, Nefilim Ransomware, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 188, "FileHash-SHA1": 106, "FileHash-SHA256": 198, "URL": 38, "domain": 161, "email": 3, "hostname": 222 }, "indicator_count": 916, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a757a872a0ab148da31e83", "name": "Botnet Trojan delivered through ClickFix and EtherHiding", "description": "", "modified": "2026-03-03T21:50:32.003000", "created": "2026-03-03T21:50:32.003000", "tags": [ "ocrfix", "etherhiding", "typosquatting", "obfuscation", "botnet", "multi-stage", "phishing", "defense evasion", "bnb smart chain", "clickfix" ], "references": [ "https://www.cyjax.com/resources/blog/ocrfix-botnet-trojan-delivered-through-clickfix-and-etherhiding" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OCRFix", "display_name": "OCRFix", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.002", "name": "Disable Windows Event Logging", "display_name": "T1562.002 - Disable Windows Event Logging" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69a163c992e9afc70efc55d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 4, "URL": 3, "domain": 8, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "89 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://dltruek.com/test.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://dltruek.com/test.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780346854.2310154 }