{ "type": "URL", "indicator": "https://103.221.252.52/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://103.221.252.52/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4169749558, "indicator": "https://103.221.252.52/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953075fca5a8e39827bb966", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 138 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T22:01:33.206000", "created": "2025-12-29T22:57:35.780000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951d20b67c888e6553e1085", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 158 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-29T00:57:46.980000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 1, "hostname": 3 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69514aa13c6d10acf20d784d", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(104), Unknown malware(86), DragonForce(34), AsyncRAT(29), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:20:01.380000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695151ace7d644422bdc8da9", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(101), Unknown malware(86), DragonForce(34), AsyncRAT(33), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:50:04.165000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 38, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69513c93285c03e79484f987", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(110), Unknown malware(86), DragonForce(34), AsyncRAT(25), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:20:03.878000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951439ca9f0662d5e7e24be", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(107), Unknown malware(86), DragonForce(34), AsyncRAT(27), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:50:04.576000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69512e81f84cdfc640becaf7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(116), Unknown malware(82), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:20:01.949000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951358c294b652c16aa50d0", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(117), Unknown malware(91), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:50:04.190000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951207341c2f26f6931714f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(124), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 51 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:20:03.629000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951277d62fff969ebbcde03", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:50:05.587000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695112611441ca6345ba912a", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(127), Unknown malware(103), DragonForce(34), AsyncRAT(23), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T11:01:33.797000", "created": "2025-12-28T11:20:01.868000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 52, "URL": 29, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951196bd2076fc12fcec26b", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(104), DragonForce(34), AsyncRAT(23), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T11:01:33.797000", "created": "2025-12-28T11:50:03.366000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 31, "hostname": 52, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69510b5b787f5a67dd4b035f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(129), Unknown malware(100), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T10:03:29.705000", "created": "2025-12-28T10:50:03.580000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 29, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950fd4ddc5c4a0b38fbbde7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(129), Unknown malware(100), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T09:03:11.977000", "created": "2025-12-28T09:50:05.854000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 49, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950e83be370ec01c77dcce4", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(125), Unknown malware(95), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T08:00:32.278000", "created": "2025-12-28T08:20:11.876000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 55, "URL": 24, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950ef3ba2712e4e554a960b", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(95), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T08:00:32.278000", "created": "2025-12-28T08:50:03.209000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 55, "URL": 24, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950da222fd02dab3e101308", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(110), DragonForce(34), Aisuru(17), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 4 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T07:03:09.395000", "created": "2025-12-28T07:20:02.475000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950e12c039bd271c4a3565e", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(125), Unknown malware(108), DragonForce(34), AsyncRAT(18), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 4 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T07:03:09.395000", "created": "2025-12-28T07:50:04.253000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 41, "hostname": 64, "URL": 23 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950cc17f8acacb52e4cd56f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(123), DragonForce(34), AsyncRAT(25), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 74 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T06:01:48.503000", "created": "2025-12-28T06:20:07.409000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950d31c7cfd6fd9f3186008", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(123), ClearFake(121), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T06:01:48.503000", "created": "2025-12-28T06:50:04.758000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950be031d8191485f08ff60", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(120), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T05:04:33.803000", "created": "2025-12-28T05:20:03.469000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 72, "domain": 2, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950c50b44f0346b6ad2fcaa", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(123), ClearFake(121), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T05:04:33.803000", "created": "2025-12-28T05:50:03.654000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "hostname": 69, "domain": 2, "FileHash-MD5": 38 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950aff45187f933403527f9", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(122), ClearFake(119), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T04:01:00.426000", "created": "2025-12-28T04:20:04.179000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "domain": 3, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950b6fc910ebd20c634e613", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(120), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T04:01:00.426000", "created": "2025-12-28T04:50:04.423000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 72, "domain": 2, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950a8f05435f15faa95c540", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T03:04:02.635000", "created": "2025-12-28T03:50:08.065000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "domain": 3, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695093d4bfeffbcd169db5f5", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(117), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T02:04:15.895000", "created": "2025-12-28T02:20:04.231000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69509adc0cf219b0eee791e0", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T02:04:15.895000", "created": "2025-12-28T02:50:03.999000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695085c1bf416e4bcf91a206", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(115), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T01:03:59.487000", "created": "2025-12-28T01:20:01.907000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69508ccdb2c137102a10265a", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T01:03:59.487000", "created": "2025-12-28T01:50:05.047000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695077b39161b824609550ba", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(117), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T00:02:33.436000", "created": "2025-12-28T00:20:03.676000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69507eb947d30fef12c60b01", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(115), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T00:02:33.436000", "created": "2025-12-28T00:50:01.833000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950684142402dd3c4dc16ce", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(115), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:14:09.196000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695069a144239720870fde0c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(113), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:20:01.909000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695070a923f7e9425c1254fd", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(113), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:50:01.704000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695056ec3ae0b10f94c84e9d", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:00:12.519000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69505b9153643c2cbefd8891", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:20:01.435000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950629920fe3a3c4fde074d", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(117), ClearFake(115), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:50:01.370000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 84, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69504d813a63dbf11baa956f", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(115), ClearFake(113), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:20:01.057000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 83, "URL": 23, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950548ce3cf60cd8b2e0e26", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:50:04.286000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 2, "hostname": 80, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695055a7c548b334d2897929", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:54:47.330000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 2, "hostname": 80, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695056247ac4ea100d0e129b", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:56:52.886000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69503f73b0fb14822bdcb0c7", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(99), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T20:01:15.477000", "created": "2025-12-27T20:20:03.757000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 24, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950467d077e7fcb4aa40401", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(115), ClearFake(103), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T20:01:15.477000", "created": "2025-12-27T20:50:05.059000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 23, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69502e34366c47ecca7e1e1a", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(98), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:06:28.187000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 22, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69503161c3e65948c7a1f8ee", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(96), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:20:01.584000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 79, "URL": 22, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950386bd38d7679f5e5007c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(110), ClearFake(101), DragonForce(34), AsyncRAT(21), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:50:03.829000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 23, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950270f366ea08035ce68a4", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:35:59.795000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950281eb4afb02cd8608e7c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:40:30.594000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695028ee3ec197226e39102a", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:43:58.561000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Meterpreter", "Cobalt strike", "Clearfake", "Asyncrat", "Unknown malware", "Aisuru", "Dragonforce" ], "industries": [], "unique_indicators": 3386 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/103.221.252.52", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6953075fca5a8e39827bb966", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 138 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T22:01:33.206000", "created": "2025-12-29T22:57:35.780000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951d20b67c888e6553e1085", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 158 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-29T00:57:46.980000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 1, "hostname": 3 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69514aa13c6d10acf20d784d", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(104), Unknown malware(86), DragonForce(34), AsyncRAT(29), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:20:01.380000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695151ace7d644422bdc8da9", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(101), Unknown malware(86), DragonForce(34), AsyncRAT(33), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:50:04.165000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 38, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69513c93285c03e79484f987", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(110), Unknown malware(86), DragonForce(34), AsyncRAT(25), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:20:03.878000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951439ca9f0662d5e7e24be", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(107), Unknown malware(86), DragonForce(34), AsyncRAT(27), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:50:04.576000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69512e81f84cdfc640becaf7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(116), Unknown malware(82), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:20:01.949000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951358c294b652c16aa50d0", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(117), Unknown malware(91), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:50:04.190000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951207341c2f26f6931714f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(124), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 51 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:20:03.629000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://103.221.252.52/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://103.221.252.52/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780530795.1441846 }