{ "type": "URL", "indicator": "https://18.216.144.67/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://18.216.144.67/", "type": "url", "type_title": "URL", "validation": [ { "source": "cloud", "message": "In cloud provider range: provider=AWS", "name": "Cloud Provider IP range" } ], "base_indicator": { "id": 4187652721, "indicator": "https://18.216.144.67/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "697a900b154453e0f9986ee0", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-28", "description": "Automated ThreatFox hunt for Unknown malware indicators. 51 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:07.097000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 6, "hostname": 5 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69790fe156dbcdd3c68cb776", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T19:00:09.546000", "created": "2026-01-27T19:20:01.485000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 9, "hostname": 22, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697916ec23f5ec3379880604", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T19:00:09.546000", "created": "2026-01-27T19:50:04.348000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 9, "hostname": 22, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697901d2dc65c28d1e88baf4", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:20:02.064000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 31, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697905b4b66709625608797a", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:36:36.493000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697905f4a157155b765d78ba", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:37:40.217000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 31, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697909347ddd7aa3ef7db36c", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:51:32.742000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 30, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f1dc3f06c44724bcf6de", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:11:56.940000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f235b7fb743710904e1c", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:13:25.145000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 23, "URL": 30, "FileHash-MD5": 35 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f3c1bcf47ed11f3c6651", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:20:01.785000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 23, "URL": 30, "FileHash-MD5": 35 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f53ac79bdc4b6cabfaf1", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:26:18.260000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f588a67e68f1d7923c64", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:27:36.210000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 23, "URL": 30, "FileHash-MD5": 35 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978fb75206b8863f13af858", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:52:53.868000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978fbc3872474e9249a566d", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:54:11.633000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 24, "URL": 31, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978e5b88addf3ad5dfdbe7c", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T16:03:13.237000", "created": "2026-01-27T16:20:08.496000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "URL": 30, "FileHash-MD5": 35, "domain": 7 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978ecbf8e5a39aaf1324882", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T16:03:13.237000", "created": "2026-01-27T16:50:07.033000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "URL": 30, "FileHash-MD5": 35, "domain": 7 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978deadd0f913fd8060c852", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), BQTlock(35), Unknown malware(35), Vidar(34), Cobalt Strike(28). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T15:00:59.868000", "created": "2026-01-27T15:50:05.011000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "URL": 31, "FileHash-MD5": 35, "domain": 8 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978c9966933f14c21e42328", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(35), Vidar(31), Cobalt Strike(28), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T14:03:40.533000", "created": "2026-01-27T14:20:06.342000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 23, "domain": 9, "URL": 27 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978d09a65f59d0d54619780", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(35), Vidar(34), Cobalt Strike(28), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T14:03:40.533000", "created": "2026-01-27T14:50:02.178000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 23, "domain": 9 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978bb81cdf26d3fe9917fa4", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(35), Cobalt Strike(28), Vidar(21), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T13:04:21.910000", "created": "2026-01-27T13:20:01.836000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "domain": 8, "hostname": 18 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978c28dc4ce8f531b224622", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(35), Vidar(30), Cobalt Strike(28), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T13:04:21.910000", "created": "2026-01-27T13:50:04.998000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 20, "domain": 8, "URL": 25 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978ad7bfa396632d41136f8", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(34), Cobalt Strike(28), Vidar(21), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T12:02:06.130000", "created": "2026-01-27T12:20:11.508000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 15, "hostname": 18 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978b51f8b4b8ac8688d7c0c", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(65), Unknown malware(34), Cobalt Strike(28), Vidar(21), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T12:02:06.130000", "created": "2026-01-27T12:52:47.099000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "domain": 8, "hostname": 18 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69789f66e0a2ccc7d37f07a7", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(34), Cobalt Strike(26), Vidar(21), Quasar RAT(13). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-27T11:20:06.634000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "hostname": 27, "domain": 14 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978a66d63e604a9066ca2df", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(34), Cobalt Strike(26), Vidar(21), Quasar RAT(13). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-27T11:50:05.513000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "hostname": 27, "domain": 14 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69789152cdf73c41e97b6bd9", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(26), Vidar(20), Quasar RAT(13). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T10:00:07.457000", "created": "2026-01-27T10:20:02.320000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 24, "domain": 16 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978985b234a54c4661898b3", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(29), Vidar(20), Quasar RAT(13). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T10:00:07.457000", "created": "2026-01-27T10:50:03.022000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 21, "domain": 16 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978834299ced3c1e1070317", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(26), Vidar(20), Remcos(12). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T09:01:51.848000", "created": "2026-01-27T09:20:02.120000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 26, "domain": 16, "hostname": 27 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69788a4ca8edaee25e87efe9", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(26), Vidar(20), Quasar RAT(13). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T09:01:51.848000", "created": "2026-01-27T09:50:04.576000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 24, "domain": 16 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69787537fac8893364ffb587", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(26), Vidar(20), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 32 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T08:04:56.666000", "created": "2026-01-27T08:20:07.836000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 33, "URL": 28, "domain": 14 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69787c3a3c13ceb2ae049e89", "name": "OSINT Volley 2026-01-27 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(75), Unknown malware(32), Cobalt Strike(26), Vidar(20), Remcos(12). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T08:04:56.666000", "created": "2026-01-27T08:50:02.339000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 30, "URL": 28 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69786721651170613fd8c984", "name": "OSINT Volley 2026-01-27 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(68), Vidar(58), Unknown malware(32), Cobalt Strike(30), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T07:03:45.621000", "created": "2026-01-27T07:20:01.872000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "URL": 31, "hostname": 36 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69786e2de4c22dc0f31e38f5", "name": "OSINT Volley 2026-01-27 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(68), Vidar(58), Unknown malware(33), Cobalt Strike(30), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T07:03:45.621000", "created": "2026-01-27T07:50:05.191000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "domain": 15, "hostname": 36 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69785915fa9ed8aa8093f82f", "name": "OSINT Volley 2026-01-27 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(68), Vidar(58), Unknown malware(32), Cobalt Strike(30), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T06:03:44.478000", "created": "2026-01-27T06:20:05.298000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 31, "hostname": 36, "domain": 15 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978601931717052406f213a", "name": "OSINT Volley 2026-01-27 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(68), Vidar(58), Unknown malware(32), Cobalt Strike(30), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T06:03:44.478000", "created": "2026-01-27T06:50:01.325000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "URL": 31, "hostname": 36 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978520c4c226c285aa5b066", "name": "OSINT Volley 2026-01-27 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(68), Vidar(58), Unknown malware(33), Cobalt Strike(30), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T05:05:20.114000", "created": "2026-01-27T05:50:04.501000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "hostname": 33, "domain": 15 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6981b2ac13aadd4423c7ce37", "name": "Payload_Delivery | 2026-01-31", "description": "Payload_Delivery indicators. Date: 2026-01-31. Total: 315 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:44.604000", "created": "2026-02-03T08:32:44.604000", "tags": [ "payload_delivery", "threatfox" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 65, "URL": 133, "domain": 113 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 98, "modified_text": "120 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697989ceefe2fad84f53d309", "name": "PreCog Sweep - 2026-01-28 04h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T04:00:14.024000", "created": "2026-01-28T04:00:14.024000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979877872fccbb78d6999e4", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:50:16.284000", "created": "2026-01-28T03:50:16.284000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979854b36162eaf9af0de21", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:40:59.894000", "created": "2026-01-28T03:40:59.894000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979832df478e88632665a5f", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:31:57.495000", "created": "2026-01-28T03:31:57.495000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979808525f81a8f768f00c0", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:20:37.315000", "created": "2026-01-28T03:20:37.315000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69797e1527be5a76f559b282", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:10:13.416000", "created": "2026-01-28T03:10:13.416000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69797bbd12a7fcf16f91cfb5", "name": "PreCog Sweep - 2026-01-28 03h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T03:00:13.383000", "created": "2026-01-28T03:00:13.383000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979796509c1520a1982ce4b", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:50:13.211000", "created": "2026-01-28T02:50:13.211000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 39, "URL": 40, "domain": 11 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697977cb88272f1f0379e1a5", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:43:23.551000", "created": "2026-01-28T02:43:23.551000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 40, "domain": 11 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6979751e43ea1490258d75b5", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:31:58.881000", "created": "2026-01-28T02:31:58.881000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 40, "domain": 11 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69797290a0d9ed32affad4d1", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:21:04.804000", "created": "2026-01-28T02:21:04.804000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 40, "domain": 11 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69797013af3692463250ac03", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:10:27.907000", "created": "2026-01-28T02:10:27.907000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 40, "domain": 11 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69796daefc58e08d5a83bba5", "name": "PreCog Sweep - 2026-01-28 02h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-28T02:00:14.489000", "created": "2026-01-28T02:00:14.489000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 38, "URL": 40, "domain": 11 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/pduggusa/dugganusa-research", "https://threatfox.abuse.ch", "https://ltna.com.au/cyber", "https://analytics.dugganusa.com/api/v1/stix/master", "https://analytics.dugganusa.com/api/v1/stix-feed/v2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Asyncrat", "Cobalt strike", "Unknown malware", "Vidar", "Bqtlock", "Remcos", "Quasar rat", "Meterpreter" ], "industries": [], "unique_indicators": 682 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/18.216.144.67", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "697a900b154453e0f9986ee0", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-28", "description": "Automated ThreatFox hunt for Unknown malware indicators. 51 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:07.097000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 6, "hostname": 5 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "96 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69790fe156dbcdd3c68cb776", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T19:00:09.546000", "created": "2026-01-27T19:20:01.485000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 9, "hostname": 22, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697916ec23f5ec3379880604", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T19:00:09.546000", "created": "2026-01-27T19:50:04.348000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 9, "hostname": 22, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697901d2dc65c28d1e88baf4", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:20:02.064000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 31, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697905b4b66709625608797a", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:36:36.493000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697905f4a157155b765d78ba", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:37:40.217000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 31, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697909347ddd7aa3ef7db36c", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(34), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T18:01:51.278000", "created": "2026-01-27T18:51:32.742000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 30, "domain": 8, "FileHash-MD5": 35 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f1dc3f06c44724bcf6de", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-27", "description": "Automated ThreatFox hunt for Unknown malware indicators. 50 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:11:56.940000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "hostname": 4, "domain": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f235b7fb743710904e1c", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:13:25.145000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 23, "URL": 30, "FileHash-MD5": 35 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6978f3c1bcf47ed11f3c6651", "name": "OSINT Volley 2026-01-27 - Meterpreter/BQTlock/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(70), BQTlock(35), Unknown malware(33), Vidar(30), Cobalt Strike(26). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-26T17:05:33.593000", "created": "2026-01-27T17:20:01.785000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "bqtlock", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "BQTlock", "display_name": "BQTlock", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 23, "URL": 30, "FileHash-MD5": 35 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://18.216.144.67/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://18.216.144.67/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780524416.3340104 }