{ "type": "URL", "indicator": "https://159.223.94.233/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://159.223.94.233/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4171657924, "indicator": "https://159.223.94.233/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695734a37bb649c2bd275a8f", "name": "URLHaus data - 01-01-2026 (Part 2)", "description": "", "modified": "2026-02-01T02:03:59.852000", "created": "2026-01-02T02:59:47.055000", "tags": [ "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "hajime", "ps1", "arm", "mirai", "ua-wget", "CoinMiner", "Vidar", "ascii", "censys", "Encoded", "hex", "hex-loader", "sh", "botnetdomain", "opendir", "geofenced", "USA", "x86", "AsyncRAT", "lnk", "xml-opendir", "iframe", "fbf543", "exe", "stealer", "MaskGramStealer", "ClickFix", "ClickFix-cc", "payload", "vbs", "html", "OffLoader", "msi", "huntio", "ParallaxRAT", "Sliver", "siberguvenlik", "gafgyt", "rustystealer" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 273, "domain": 2, "hostname": 1 }, "indicator_count": 276, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69571964819f87afc0635cd4", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T01:01:15.812000", "created": "2026-01-02T01:03:32.300000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570d3fa84e66695169d7fd", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:11:43.742000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570e6c52da162b885bc40f", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:16:44.332000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695708eb70cd45cc6fa8af77", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 105 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T23:01:43.727000", "created": "2026-01-01T23:53:15.177000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956ed2fa2818e82b0808c0e", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T21:03:12.723000", "created": "2026-01-01T21:54:55.048000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956d251baf896f0196e06ea", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T20:00:47.735000", "created": "2026-01-01T20:00:17.126000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955b6aea7de19750cf24353", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(85), GootLoader(27), AsyncRAT(18), Cobalt Strike(16), Lumma Stealer(13). Source: abuse.ch ThreatFox API. SSL enriched: 44 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-31T23:50:06.137000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 56, "domain": 24, "URL": 24 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955a192c753bf4dceb4553f", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(32), GootLoader(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T22:03:30.045000", "created": "2025-12-31T22:20:02.035000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 51, "domain": 24, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955a89cd898ed6636494d7e", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), GootLoader(26), ClearFake(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T22:03:30.045000", "created": "2025-12-31T22:50:04.490000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "domain": 24, "URL": 29 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69559a8c6e66cd07aa360080", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(44), GootLoader(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T21:02:11.127000", "created": "2025-12-31T21:50:04", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 51, "domain": 24, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69558577e8221b8efbff0040", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(64), GootLoader(22), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T20:00:55.934000", "created": "2025-12-31T20:20:07.640000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 24, "URL": 29 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69558c7aaaad5b04e0422932", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(56), GootLoader(22), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T20:00:55.934000", "created": "2025-12-31T20:50:02.544000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 24, "URL": 29 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695577611faffa23dee75695", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(80), Unknown malware(79), GootLoader(20), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T19:01:58.020000", "created": "2025-12-31T19:20:01.748000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69556954f090c9c50ca26709", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(97), Unknown malware(79), GootLoader(18), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T18:01:37.521000", "created": "2025-12-31T18:20:04.590000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955705e9d2efd2317dceb83", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(89), Unknown malware(79), GootLoader(18), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T18:01:37.521000", "created": "2025-12-31T18:50:06.351000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69555b4109060796f54a2add", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(111), Unknown malware(79), Cobalt Strike(17), Lumma Stealer(15), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T17:05:55.117000", "created": "2025-12-31T17:20:01.664000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955624985fcdbb11a4c8b6c", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(103), Unknown malware(79), Cobalt Strike(17), AsyncRAT(16), GootLoader(16). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T17:05:55.117000", "created": "2025-12-31T17:50:01.554000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 23, "URL": 29 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69554d340037309bc3d05224", "name": "OSINT Volley 2025-12-31 - ClearFake/Cobalt Strike/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(127), Cobalt Strike(85), Unknown malware(79), Lumma Stealer(27), AsyncRAT(12). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:20:04.042000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "cobalt-strike", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 21, "URL": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955543c6a72d5d78f7c7b31", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Lumma Stealer", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(119), Unknown malware(79), Lumma Stealer(27), Cobalt Strike(17), GootLoader(14). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:50:04.196000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "lumma-stealer", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955560ac14446d3225ccd45", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-31", "description": "Automated ThreatFox hunt for Unknown malware indicators. 175 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:57:46.896000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "domain": 1, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69555649599d2d7a59158574", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Lumma Stealer", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(119), Unknown malware(79), Lumma Stealer(27), Cobalt Strike(17), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:58:49.090000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "lumma-stealer", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955462cdc7a0f04a4bd5995", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(135), Unknown malware(103), Cobalt Strike(89), Lumma Stealer(27), AsyncRAT(11). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T15:01:37.873000", "created": "2025-12-31T15:50:04.630000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 50, "domain": 21, "URL": 28 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69553114d58c283ab3a0ed63", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(157), Unknown malware(111), Cobalt Strike(89), Lumma Stealer(27), Mirai(12). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T14:03:07.217000", "created": "2025-12-31T14:20:04.731000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955381cd840229a80a328bf", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(149), Unknown malware(103), Cobalt Strike(89), Lumma Stealer(27), Mirai(11). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T14:03:07.217000", "created": "2025-12-31T14:50:04.231000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695523017962ea60605d5098", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(172), Unknown malware(111), Cobalt Strike(92), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T13:04:11.833000", "created": "2025-12-31T13:20:01.932000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69552a0c2b2db2bdadc06aec", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(167), Unknown malware(111), Cobalt Strike(92), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T13:04:11.833000", "created": "2025-12-31T13:50:04.073000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695514f4dda682202a166e41", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(184), Unknown malware(111), Cobalt Strike(94), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 79 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T12:05:26.268000", "created": "2025-12-31T12:20:04.140000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 47, "domain": 20, "URL": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69551bfcf6d6ba8922ac72d3", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(176), Unknown malware(111), Cobalt Strike(93), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 79 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T12:05:26.268000", "created": "2025-12-31T12:50:04.558000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695506e37e0e2f702d9e8e00", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(200), Unknown malware(120), Cobalt Strike(93), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T11:01:31.678000", "created": "2025-12-31T11:20:03.865000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 59, "domain": 20, "URL": 28 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69550deee11356c404831c19", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(192), Unknown malware(120), Cobalt Strike(95), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T11:01:31.678000", "created": "2025-12-31T11:50:06.443000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 20, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954f8e0516d05fbb21156d6", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(219), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T10:04:07.167000", "created": "2025-12-31T10:20:16.087000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "URL": 28, "hostname": 65 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954ffdd455ecde4b1a541c5", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(205), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T10:04:07.167000", "created": "2025-12-31T10:50:05.928000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 65, "domain": 20, "URL": 28 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954f1d059d6f4d34056dde0", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(224), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T09:00:44.611000", "created": "2025-12-31T09:50:08.173000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "URL": 28, "hostname": 65 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954dcb57625377d065184d8", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(254), Unknown malware(116), Cobalt Strike(94), SalatStealer(24), AsyncRAT(17). Source: abuse.ch ThreatFox API. SSL enriched: 83 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T08:00:01.632000", "created": "2025-12-31T08:20:05.511000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 25, "domain": 4 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954e3bed76ca090e3a6f59a", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(247), Unknown malware(116), Cobalt Strike(94), SalatStealer(24), AsyncRAT(17). Source: abuse.ch ThreatFox API. SSL enriched: 86 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T08:00:01.632000", "created": "2025-12-31T08:50:06.089000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 82, "URL": 25, "domain": 4 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954d5ad99107bdbd6eff113", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(138), Cobalt Strike(94), SalatStealer(24), Meterpreter(20). Source: abuse.ch ThreatFox API. SSL enriched: 76 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T07:03:20.260000", "created": "2025-12-31T07:50:04.997000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "hostname": 106, "domain": 4 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954c095f9326c2811926a9e", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T06:00:51.865000", "created": "2025-12-31T06:20:05.383000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 67, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954c79d5e6d3536b0e2c2b1", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T06:00:51.865000", "created": "2025-12-31T06:50:05.401000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 67, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954b98c294205f7f86672e6", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T05:00:01.077000", "created": "2025-12-31T05:50:04.286000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 76, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954a47345eb9d2e5bb21694", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(143), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T04:03:08.625000", "created": "2025-12-31T04:20:03.638000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 59, "domain": 5 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954ab794f39613db3e136fa", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(143), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T04:03:08.625000", "created": "2025-12-31T04:50:01.971000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 59, "domain": 5 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69549663b367946d1418e92a", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(137), Cobalt Strike(106), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 97 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T03:04:44.497000", "created": "2025-12-31T03:20:03.906000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94, "URL": 60, "domain": 5 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69549d6d0809241237ea459d", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(137), Cobalt Strike(106), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 97 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T03:04:44.497000", "created": "2025-12-31T03:50:03.518000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94, "URL": 60, "domain": 5 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695488536274682db9451c77", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(137), Cobalt Strike(106), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 97 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T02:00:24.431000", "created": "2025-12-31T02:20:03.938000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 5, "hostname": 94 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954814b49506e62c8949d35", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(137), Cobalt Strike(106), Sliver(62), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 97 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T01:03:09.819000", "created": "2025-12-31T01:50:03.917000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 15, "hostname": 127 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695624dfb23fa246d89c8a33", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:40:15.665000", "created": "2026-01-01T07:40:15.665000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 30, "hostname": 306 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69562286590921fda13de2f9", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:30:14.030000", "created": "2026-01-01T07:30:14.030000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "URL": 30, "hostname": 308 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://github.com/pduggusa/dugganusa-research", "https://threatfox.abuse.ch", "https://analytics.dugganusa.com/api/v1/stix/master" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mirai", "Clearfake", "Unknown malware", "Cobalt strike", "Lumma stealer", "Sliver", "Asyncrat", "Gootloader", "Meterpreter", "Salatstealer" ], "industries": [], "unique_indicators": 51422 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/159.223.94.233", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695734a37bb649c2bd275a8f", "name": "URLHaus data - 01-01-2026 (Part 2)", "description": "", "modified": "2026-02-01T02:03:59.852000", "created": "2026-01-02T02:59:47.055000", "tags": [ "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "hajime", "ps1", "arm", "mirai", "ua-wget", "CoinMiner", "Vidar", "ascii", "censys", "Encoded", "hex", "hex-loader", "sh", "botnetdomain", "opendir", "geofenced", "USA", "x86", "AsyncRAT", "lnk", "xml-opendir", "iframe", "fbf543", "exe", "stealer", "MaskGramStealer", "ClickFix", "ClickFix-cc", "payload", "vbs", "html", "OffLoader", "msi", "huntio", "ParallaxRAT", "Sliver", "siberguvenlik", "gafgyt", "rustystealer" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 273, "domain": 2, "hostname": 1 }, "indicator_count": 276, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69571964819f87afc0635cd4", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T01:01:15.812000", "created": "2026-01-02T01:03:32.300000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570d3fa84e66695169d7fd", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:11:43.742000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570e6c52da162b885bc40f", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:16:44.332000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695708eb70cd45cc6fa8af77", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 105 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T23:01:43.727000", "created": "2026-01-01T23:53:15.177000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956ed2fa2818e82b0808c0e", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T21:03:12.723000", "created": "2026-01-01T21:54:55.048000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956d251baf896f0196e06ea", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T20:00:47.735000", "created": "2026-01-01T20:00:17.126000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955b6aea7de19750cf24353", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(85), GootLoader(27), AsyncRAT(18), Cobalt Strike(16), Lumma Stealer(13). Source: abuse.ch ThreatFox API. SSL enriched: 44 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-31T23:50:06.137000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 56, "domain": 24, "URL": 24 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://159.223.94.233/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://159.223.94.233/", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "censys", "ClickFix", "ClickFix-cc", "html" ], "date_added": "2026-01-01", "last_online": "2026-01-23", "reporter": "NDA0E", "host": "159.223.94.233", "payloads": [ { "filename": "4e5485992f13c749625e4703116336dbc2d4b1fb3500d7a8ab0908432532c12e.html", "file_type": "html", "md5": "4bc77229bc0131b3759648a99c7d5cc7", "sha256": "4e5485992f13c749625e4703116336dbc2d4b1fb3500d7a8ab0908432532c12e", "signature": null, "first_seen": "2026-01-05" }, { "filename": "94d766b7d6b4c19771fab40041da19c2995353fda5029d5fcdd1c8c5d63434a6.html", "file_type": "html", "md5": "ce882365cd1a539f960ba4c65cb1eea8", "sha256": "94d766b7d6b4c19771fab40041da19c2995353fda5029d5fcdd1c8c5d63434a6", "signature": null, "first_seen": "2026-01-05" }, { "filename": "71ba7b2633d2a6d18485f983d7ce97007de94162ad309249150a1fef0f42b941.html", "file_type": "html", "md5": "b2067c2993f91e3768dd94dba8ea6361", "sha256": "71ba7b2633d2a6d18485f983d7ce97007de94162ad309249150a1fef0f42b941", "signature": null, "first_seen": "2026-01-01" } ], "error": null }, "from_cache": true, "_cached_at": 1780454302.9656024 }