{ "type": "URL", "indicator": "http://updatemsdnserver.com/script.php.", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://updatemsdnserver.com/script.php.", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4136415262, "indicator": "http://updatemsdnserver.com/script.php.", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs_Oct week-1.pdf", "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Hive0145", "Multiple APT/Malware" ], "malware_families": [ "Second", "Starfish", "Mikrotik", "Golo", "Strela" ], "industries": [], "unique_indicators": 862 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/updatemsdnserver.com", "whois": "http://whois.domaintools.com/updatemsdnserver.com", "domain": "updatemsdnserver.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://updatemsdnserver.com/script.php.", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://updatemsdnserver.com/script.php.", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223204.1444774 }