{ "type": "URL", "indicator": "http://validin.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://validin.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4200730295, "indicator": "http://validin.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/", "IOCs2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [], "industries": [], "unique_indicators": 947 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/validin.com", "whois": "http://whois.domaintools.com/validin.com", "domain": "validin.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://validin.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://validin.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780332727.2958782 }