{ "type": "URL", "indicator": "http://www.talesseries.com/write.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://www.talesseries.com/write.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3966737671, "indicator": "http://www.talesseries.com/write.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69f837f3d2d59a26f6d3acf3", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors", "description": "An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...", "modified": "2026-05-04T14:31:13.962000", "created": "2026-05-04T06:08:51.240000", "tags": [ "pypi", "pondrat", "supply chain attack", "citrine sleet", "applejeus", "poolrat", "badcall" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "kupayupdate_stage2", "display_name": "kupayupdate_stage2", "target": null }, { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386455, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e001e55e7c69c7c2be94df", "name": "Threat Assessment: North Korean Threat Groups", "description": "This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows, macOS, and Linux systems, providing technical insights into their functionality and Palo Alto Networks Cortex XDR's capability to detect and mitigate these threats.", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:23:01.551000", "tags": [ "comebacker", "collectionrat", "northkorea", "malware", "fullhouse", "espionage", "poolrat", "rats", "cybercrime", "odicloader", "rustbucket", "objcshellz", "kandykorn", "pondrat", "smoothoperator" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Various North Korean groups under the Reconnaissance General Bureau", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "KANDYKORN", "display_name": "KANDYKORN", "target": null }, { "id": "SmoothOperator", "display_name": "SmoothOperator", "target": null }, { "id": "ObjCShellz", "display_name": "ObjCShellz", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null }, { "id": "CollectionRAT", "display_name": "CollectionRAT", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 37, "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386455, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebd3b71f5a7ab8302fcfa5", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.", "modified": "2024-09-19T07:34:16.146000", "created": "2024-09-19T07:33:11.278000", "tags": [ "pondrat", "poolrat", "macos", "rat", "cryptocurrency", "applejeus" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386450, "modified_text": "618 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a983da6af26addef4ba", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors", "description": "", "modified": "2026-05-05T05:05:28.702000", "created": "2026-05-05T05:05:28.702000", "tags": [ "pypi", "pondrat", "supply chain attack", "citrine sleet", "applejeus", "poolrat", "badcall" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "kupayupdate_stage2", "display_name": "kupayupdate_stage2", "target": null }, { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69f837f3d2d59a26f6d3acf3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e1797e61f69c762b1dc8aa", "name": "Threat Assessment: North Korean Threat Groups", "description": "This blog presents a comprehensive assessment of North Korean threat groups, as well as the techniques Palo Alto Networks uses to protect customers from the malware they are carrying out on behalf of the Korean People's Army.", "modified": "2024-10-11T11:02:17.959000", "created": "2024-09-11T11:05:34.786000", "tags": [ "cortex xdr", "hloader", "sugarloader", "figure", "kandykorn", "pondrat", "palo alto", "discord", "smoothoperator", "objcshellz", "fullhouse", "poolrat", "comebacker", "agent", "updateagent", "lazarus", "bluenoroff", "kimsuky", "alliance", "slow", "rats", "hack", "swift", "rust", "download", "python", "shell", "february", "class", "korean", "macos", "http", "linux", "windows", "rustbucket" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Comebacker", "targeted_countries": [], "malware_families": [ { "id": "Korean", "display_name": "Korean", "target": null }, { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency", "Financial", "Media", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 37, "URL": 2, "domain": 29, "hostname": 1 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "596 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fcd68e1cbfc5e5c7c9b3ac", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-10-02T05:13:50.146000", "created": "2024-10-02T05:13:50.146000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?web_view=true" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66f12d093217c986eb6bea98", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "605 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f12d093217c986eb6bea98", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-09-23T08:55:37.606000", "created": "2024-09-23T08:55:37.606000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?web_view=true" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "614 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebda71729a385fbe2b7451", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-09-19T08:01:53.457000", "created": "2024-09-19T08:01:53.457000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "618 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?web_view=true", "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/", "IOCs-May1.csv", "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/", "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat", "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed" ], "related": { "alienvault": { "adversary": [ "Various North Korean groups under the Reconnaissance General Bureau", "Gleaming Pisces" ], "malware_families": [ "Kupayupdate_stage2", "Smoothoperator", "Applejeus - s0584", "Poolrat", "Odicloader", "Comebacker", "Badcall - s0245", "Rustbucket", "Fullhouse", "Objcshellz", "Collectionrat", "Kandykorn", "Pondrat" ], "industries": [ "Finance", "Technology" ], "unique_indicators": 113 }, "other": { "adversary": [ "Gleaming Pisces", "Comebacker", "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [ "Kupayupdate_stage2", "Linux", "Korean", "Applejeus - s0584", "Poolrat", "Comebacker", "Badcall - s0245", "Rustbucket", "Fullhouse", "Http", "Macos", "Windows", "Pondrat" ], "industries": [ "Technology", "Financial", "Defense", "Cryptocurrency", "Media" ], "unique_indicators": 949 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/talesseries.com", "whois": "http://whois.domaintools.com/talesseries.com", "domain": "talesseries.com", "hostname": "www.talesseries.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69f837f3d2d59a26f6d3acf3", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors", "description": "An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...", "modified": "2026-05-04T14:31:13.962000", "created": "2026-05-04T06:08:51.240000", "tags": [ "pypi", "pondrat", "supply chain attack", "citrine sleet", "applejeus", "poolrat", "badcall" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "kupayupdate_stage2", "display_name": "kupayupdate_stage2", "target": null }, { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386455, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e001e55e7c69c7c2be94df", "name": "Threat Assessment: North Korean Threat Groups", "description": "This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows, macOS, and Linux systems, providing technical insights into their functionality and Palo Alto Networks Cortex XDR's capability to detect and mitigate these threats.", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:23:01.551000", "tags": [ "comebacker", "collectionrat", "northkorea", "malware", "fullhouse", "espionage", "poolrat", "rats", "cybercrime", "odicloader", "rustbucket", "objcshellz", "kandykorn", "pondrat", "smoothoperator" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Various North Korean groups under the Reconnaissance General Bureau", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "KANDYKORN", "display_name": "KANDYKORN", "target": null }, { "id": "SmoothOperator", "display_name": "SmoothOperator", "target": null }, { "id": "ObjCShellz", "display_name": "ObjCShellz", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null }, { "id": "CollectionRAT", "display_name": "CollectionRAT", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 37, "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386455, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebd3b71f5a7ab8302fcfa5", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining access to supply chain vendors and their customers. The malware, named PondRAT, shares similarities with POOLRAT, a known tool in Gleaming Pisces' arsenal. The infection chain involves several stages of encoded code execution, ultimately downloading and running the RAT. Similarities in code structure, function names, and encryption keys between PondRAT and previously attributed malware strengthen the connection to Gleaming Pisces. The research also revealed Linux variants of POOLRAT, expanding the group's cross-platform capabilities.", "modified": "2024-09-19T07:34:16.146000", "created": "2024-09-19T07:33:11.278000", "tags": [ "pondrat", "poolrat", "macos", "rat", "cryptocurrency", "applejeus" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386450, "modified_text": "618 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f97a983da6af26addef4ba", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors", "description": "", "modified": "2026-05-05T05:05:28.702000", "created": "2026-05-05T05:05:28.702000", "tags": [ "pypi", "pondrat", "supply chain attack", "citrine sleet", "applejeus", "poolrat", "badcall" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?pdf=print&lg=en&_wpnonce=7681ade9ed" ], "public": 1, "adversary": "Gleaming Pisces", "targeted_countries": [], "malware_families": [ { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "kupayupdate_stage2", "display_name": "kupayupdate_stage2", "target": null }, { "id": "BADCALL - S0245", "display_name": "BADCALL - S0245", "target": null }, { "id": "AppleJeus - S0584", "display_name": "AppleJeus - S0584", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69f837f3d2d59a26f6d3acf3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e1797e61f69c762b1dc8aa", "name": "Threat Assessment: North Korean Threat Groups", "description": "This blog presents a comprehensive assessment of North Korean threat groups, as well as the techniques Palo Alto Networks uses to protect customers from the malware they are carrying out on behalf of the Korean People's Army.", "modified": "2024-10-11T11:02:17.959000", "created": "2024-09-11T11:05:34.786000", "tags": [ "cortex xdr", "hloader", "sugarloader", "figure", "kandykorn", "pondrat", "palo alto", "discord", "smoothoperator", "objcshellz", "fullhouse", "poolrat", "comebacker", "agent", "updateagent", "lazarus", "bluenoroff", "kimsuky", "alliance", "slow", "rats", "hack", "swift", "rust", "download", "python", "shell", "february", "class", "korean", "macos", "http", "linux", "windows", "rustbucket" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Comebacker", "targeted_countries": [], "malware_families": [ { "id": "Korean", "display_name": "Korean", "target": null }, { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency", "Financial", "Media", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 37, "URL": 2, "domain": 29, "hostname": 1 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "596 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fcd68e1cbfc5e5c7c9b3ac", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-10-02T05:13:50.146000", "created": "2024-10-02T05:13:50.146000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?web_view=true" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66f12d093217c986eb6bea98", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "605 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f12d093217c986eb6bea98", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-09-23T08:55:37.606000", "created": "2024-09-23T08:55:37.606000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/?web_view=true" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "614 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ebda71729a385fbe2b7451", "name": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors", "description": "", "modified": "2024-09-19T08:01:53.457000", "created": "2024-09-19T08:01:53.457000", "tags": [ "poolrat", "pondrat", "python", "linux", "cortex xdr", "gleaming", "sha256", "linux variant", "linux rat", "c2 server", "rats", "alliance", "malware" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "618 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://www.talesseries.com/write.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://www.talesseries.com/write.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780176099.5214822 }