{ "type": "URL", "indicator": "https://193.233.48.98", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://193.233.48.98", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4239352347, "indicator": "https://193.233.48.98", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a7db16e279cafc1252ef4a", "name": "Forbidden Hyena attacks with new remote access trojan BlackReaperRAT", "description": "Threat Intelligence observed significant activity from the Forbidden Hyena threat actor group in late 2025 into early 2026, unveiling a novel remote access trojan (RAT) named BlackReaperRAT and a modified version of the Blackout Locker ransomware, now rebranded as Milkyway. BlackReaperRAT is disseminated via RAR files containing a batch script (1.bat) designed to execute a malicious VBS script (1.vbs), which subsequently downloads the RAT and a misleading document to distract users.\n\nThe BlackReaperRAT is implemented as an obfuscated VBS script that generates a unique BotID upon execution, storing it in the user\u2019s application data directory. Persistence mechanisms are robustly built in; it utilizes registry modifications to create autorun entries to ensure it executes upon system startup and employs Windows Task Scheduler for additional persistence as it registers these tasks under the highest privileges.", "modified": "2026-04-03T07:14:44.209000", "created": "2026-03-04T07:11:18.530000", "tags": [ "forbidden hyena", "blackreaperrat", "hyena", "blackout", "locker", "powershell", "appdata", "blackout locker", "bash", "filepath", "anydesk", "sliver", "service", "local", "powersploit", "netcat", "media", "execution", "date", "root", "dmsetup", "plink", "persistence", "manipulation", "defender", "powerview", "tools", "team", "cookie" ], "references": [ "https://bi.zone/expertise/blog/forbidden-hyena-atakuet-s-novym-troyanom-udalennogo-dostupa-blackreaperrat/" ], "public": 1, "adversary": "Forbidden_hyena", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 27, "URL": 9, "domain": 2, "hostname": 1 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.1.csv", "https://bi.zone/expertise/blog/forbidden-hyena-atakuet-s-novym-troyanom-udalennogo-dostupa-blackreaperrat/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "Forbidden_hyena" ], "malware_families": [], "industries": [], "unique_indicators": 992 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/193.233.48.98", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a7db16e279cafc1252ef4a", "name": "Forbidden Hyena attacks with new remote access trojan BlackReaperRAT", "description": "Threat Intelligence observed significant activity from the Forbidden Hyena threat actor group in late 2025 into early 2026, unveiling a novel remote access trojan (RAT) named BlackReaperRAT and a modified version of the Blackout Locker ransomware, now rebranded as Milkyway. BlackReaperRAT is disseminated via RAR files containing a batch script (1.bat) designed to execute a malicious VBS script (1.vbs), which subsequently downloads the RAT and a misleading document to distract users.\n\nThe BlackReaperRAT is implemented as an obfuscated VBS script that generates a unique BotID upon execution, storing it in the user\u2019s application data directory. Persistence mechanisms are robustly built in; it utilizes registry modifications to create autorun entries to ensure it executes upon system startup and employs Windows Task Scheduler for additional persistence as it registers these tasks under the highest privileges.", "modified": "2026-04-03T07:14:44.209000", "created": "2026-03-04T07:11:18.530000", "tags": [ "forbidden hyena", "blackreaperrat", "hyena", "blackout", "locker", "powershell", "appdata", "blackout locker", "bash", "filepath", "anydesk", "sliver", "service", "local", "powersploit", "netcat", "media", "execution", "date", "root", "dmsetup", "plink", "persistence", "manipulation", "defender", "powerview", "tools", "team", "cookie" ], "references": [ "https://bi.zone/expertise/blog/forbidden-hyena-atakuet-s-novym-troyanom-udalennogo-dostupa-blackreaperrat/" ], "public": 1, "adversary": "Forbidden_hyena", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 27, "URL": 9, "domain": 2, "hostname": 1 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://193.233.48.98", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://193.233.48.98", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780329186.1306179 }