{ "type": "URL", "indicator": "https://3.141.75.29/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://3.141.75.29/", "type": "url", "type_title": "URL", "validation": [ { "source": "cloud", "message": "In cloud provider range: provider=AWS", "name": "Cloud Provider IP range" } ], "base_indicator": { "id": 4171823449, "indicator": "https://3.141.75.29/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695734a30d2e512c757d1a8b", "name": "URLHaus data - 01-01-2026 (Part 3)", "description": "", "modified": "2026-02-01T02:03:59.852000", "created": "2026-01-02T02:59:47.826000", "tags": [ "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "hajime", "ps1", "arm", "mirai", "ua-wget", "CoinMiner", "Vidar", "ascii", "censys", "Encoded", "hex", "hex-loader", "sh", "botnetdomain", "opendir", "geofenced", "USA", "x86", "AsyncRAT", "lnk", "xml-opendir", "iframe", "fbf543", "exe", "stealer", "MaskGramStealer", "ClickFix", "ClickFix-cc", "payload", "vbs", "html", "OffLoader", "msi", "huntio", "ParallaxRAT", "Sliver", "siberguvenlik", "gafgyt", "rustystealer" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313, "domain": 1 }, "indicator_count": 314, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69571964819f87afc0635cd4", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T01:01:15.812000", "created": "2026-01-02T01:03:32.300000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570d3fa84e66695169d7fd", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:11:43.742000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570e6c52da162b885bc40f", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:16:44.332000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695708eb70cd45cc6fa8af77", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 105 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T23:01:43.727000", "created": "2026-01-01T23:53:15.177000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956ed2fa2818e82b0808c0e", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T21:03:12.723000", "created": "2026-01-01T21:54:55.048000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956d251baf896f0196e06ea", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T20:00:47.735000", "created": "2026-01-01T20:00:17.126000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955b6aea7de19750cf24353", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(85), GootLoader(27), AsyncRAT(18), Cobalt Strike(16), Lumma Stealer(13). Source: abuse.ch ThreatFox API. SSL enriched: 44 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-31T23:50:06.137000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 56, "domain": 24, "URL": 24 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955a192c753bf4dceb4553f", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(32), GootLoader(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T22:03:30.045000", "created": "2025-12-31T22:20:02.035000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 51, "domain": 24, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955a89cd898ed6636494d7e", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), GootLoader(26), ClearFake(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T22:03:30.045000", "created": "2025-12-31T22:50:04.490000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "domain": 24, "URL": 29 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69559a8c6e66cd07aa360080", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(44), GootLoader(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T21:02:11.127000", "created": "2025-12-31T21:50:04", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 51, "domain": 24, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69558577e8221b8efbff0040", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(64), GootLoader(22), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T20:00:55.934000", "created": "2025-12-31T20:20:07.640000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 24, "URL": 29 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69558c7aaaad5b04e0422932", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(56), GootLoader(22), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 48 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T20:00:55.934000", "created": "2025-12-31T20:50:02.544000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 24, "URL": 29 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695577611faffa23dee75695", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(80), Unknown malware(79), GootLoader(20), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T19:01:58.020000", "created": "2025-12-31T19:20:01.748000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69556954f090c9c50ca26709", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(97), Unknown malware(79), GootLoader(18), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T18:01:37.521000", "created": "2025-12-31T18:20:04.590000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955705e9d2efd2317dceb83", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(89), Unknown malware(79), GootLoader(18), AsyncRAT(17), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T18:01:37.521000", "created": "2025-12-31T18:50:06.351000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 48, "domain": 24, "URL": 29 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69555b4109060796f54a2add", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(111), Unknown malware(79), Cobalt Strike(17), Lumma Stealer(15), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T17:05:55.117000", "created": "2025-12-31T17:20:01.664000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955624985fcdbb11a4c8b6c", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(103), Unknown malware(79), Cobalt Strike(17), AsyncRAT(16), GootLoader(16). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T17:05:55.117000", "created": "2025-12-31T17:50:01.554000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 23, "URL": 29 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69554d340037309bc3d05224", "name": "OSINT Volley 2025-12-31 - ClearFake/Cobalt Strike/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(127), Cobalt Strike(85), Unknown malware(79), Lumma Stealer(27), AsyncRAT(12). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:20:04.042000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "cobalt-strike", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 21, "URL": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955543c6a72d5d78f7c7b31", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Lumma Stealer", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(119), Unknown malware(79), Lumma Stealer(27), Cobalt Strike(17), GootLoader(14). Source: abuse.ch ThreatFox API. SSL enriched: 57 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:50:04.196000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "lumma-stealer", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955560ac14446d3225ccd45", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-31", "description": "Automated ThreatFox hunt for Unknown malware indicators. 175 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:57:46.896000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "domain": 1, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69555649599d2d7a59158574", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Lumma Stealer", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(119), Unknown malware(79), Lumma Stealer(27), Cobalt Strike(17), AsyncRAT(14). Source: abuse.ch ThreatFox API. SSL enriched: 52 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T16:01:37.437000", "created": "2025-12-31T16:58:49.090000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "lumma-stealer", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 46, "domain": 22, "URL": 28 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955462cdc7a0f04a4bd5995", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(135), Unknown malware(103), Cobalt Strike(89), Lumma Stealer(27), AsyncRAT(11). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T15:01:37.873000", "created": "2025-12-31T15:50:04.630000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 50, "domain": 21, "URL": 28 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69553114d58c283ab3a0ed63", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(157), Unknown malware(111), Cobalt Strike(89), Lumma Stealer(27), Mirai(12). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T14:03:07.217000", "created": "2025-12-31T14:20:04.731000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955381cd840229a80a328bf", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(149), Unknown malware(103), Cobalt Strike(89), Lumma Stealer(27), Mirai(11). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T14:03:07.217000", "created": "2025-12-31T14:50:04.231000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695523017962ea60605d5098", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(172), Unknown malware(111), Cobalt Strike(92), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T13:04:11.833000", "created": "2025-12-31T13:20:01.932000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69552a0c2b2db2bdadc06aec", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(167), Unknown malware(111), Cobalt Strike(92), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 78 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T13:04:11.833000", "created": "2025-12-31T13:50:04.073000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695514f4dda682202a166e41", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(184), Unknown malware(111), Cobalt Strike(94), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 79 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T12:05:26.268000", "created": "2025-12-31T12:20:04.140000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 47, "domain": 20, "URL": 28 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69551bfcf6d6ba8922ac72d3", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(176), Unknown malware(111), Cobalt Strike(93), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 79 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T12:05:26.268000", "created": "2025-12-31T12:50:04.558000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 21, "hostname": 48, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695506e37e0e2f702d9e8e00", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(200), Unknown malware(120), Cobalt Strike(93), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T11:01:31.678000", "created": "2025-12-31T11:20:03.865000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 59, "domain": 20, "URL": 28 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69550deee11356c404831c19", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(192), Unknown malware(120), Cobalt Strike(95), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T11:01:31.678000", "created": "2025-12-31T11:50:06.443000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "domain": 20, "URL": 28 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954f8e0516d05fbb21156d6", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(219), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T10:04:07.167000", "created": "2025-12-31T10:20:16.087000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "URL": 28, "hostname": 65 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954ffdd455ecde4b1a541c5", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(205), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T10:04:07.167000", "created": "2025-12-31T10:50:05.928000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 65, "domain": 20, "URL": 28 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954f1d059d6f4d34056dde0", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(224), Unknown malware(117), Cobalt Strike(90), Lumma Stealer(27), SalatStealer(24). Source: abuse.ch ThreatFox API. SSL enriched: 87 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T09:00:44.611000", "created": "2025-12-31T09:50:08.173000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20, "URL": 28, "hostname": 65 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954dcb57625377d065184d8", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(254), Unknown malware(116), Cobalt Strike(94), SalatStealer(24), AsyncRAT(17). Source: abuse.ch ThreatFox API. SSL enriched: 83 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T08:00:01.632000", "created": "2025-12-31T08:20:05.511000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 25, "domain": 4 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954e3bed76ca090e3a6f59a", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(247), Unknown malware(116), Cobalt Strike(94), SalatStealer(24), AsyncRAT(17). Source: abuse.ch ThreatFox API. SSL enriched: 86 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T08:00:01.632000", "created": "2025-12-31T08:50:06.089000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 82, "URL": 25, "domain": 4 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954d5ad99107bdbd6eff113", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(138), Cobalt Strike(94), SalatStealer(24), Meterpreter(20). Source: abuse.ch ThreatFox API. SSL enriched: 76 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T07:03:20.260000", "created": "2025-12-31T07:50:04.997000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SalatStealer", "display_name": "SalatStealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "hostname": 106, "domain": 4 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954c095f9326c2811926a9e", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T06:00:51.865000", "created": "2025-12-31T06:20:05.383000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 67, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954c79d5e6d3536b0e2c2b1", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T06:00:51.865000", "created": "2025-12-31T06:50:05.401000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 67, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6954b98c294205f7f86672e6", "name": "OSINT Volley 2025-12-31 - ClearFake/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(265), Unknown malware(151), Cobalt Strike(108), GootLoader(63), Sliver(62). Source: abuse.ch ThreatFox API. SSL enriched: 103 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T05:00:01.077000", "created": "2025-12-31T05:50:04.286000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 76, "domain": 5 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695624dfb23fa246d89c8a33", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:40:15.665000", "created": "2026-01-01T07:40:15.665000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 30, "hostname": 306 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69562286590921fda13de2f9", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:30:14.030000", "created": "2026-01-01T07:30:14.030000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "URL": 30, "hostname": 308 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956202ed867cbcb903e6c43", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:20:14.065000", "created": "2026-01-01T07:20:14.065000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "URL": 30, "hostname": 308 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69561dd7990a7c96cf11a5cc", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:10:15.718000", "created": "2026-01-01T07:10:15.718000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "URL": 30, "hostname": 308 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69561b7d2dcb3b1ce17a1e4e", "name": "PreCog Sweep - 2026-01-01 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T07:00:13.357000", "created": "2026-01-01T07:00:13.357000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "hostname": 308, "domain": 39 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69561927a01a843fec42b33d", "name": "PreCog Sweep - 2026-01-01 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T06:50:15.546000", "created": "2026-01-01T06:50:15.546000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 309, "URL": 30 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695616ce53fb18cb2172cd3f", "name": "PreCog Sweep - 2026-01-01 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T06:40:14.019000", "created": "2026-01-01T06:40:14.019000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 309, "URL": 30 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69561476d0266623c441f5e7", "name": "PreCog Sweep - 2026-01-01 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T06:30:14.270000", "created": "2026-01-01T06:30:14.270000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 309, "URL": 30 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956121f1dd5cbaa77401519", "name": "PreCog Sweep - 2026-01-01 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-01T06:20:15.105000", "created": "2026-01-01T06:20:15.105000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 309, "URL": 30 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://urlhaus.abuse.ch/browse/", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://github.com/pduggusa/dugganusa-research", "https://threatfox.abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Salatstealer", "Cobalt strike", "Gootloader", "Lumma stealer", "Asyncrat", "Meterpreter", "Unknown malware", "Mirai", "Clearfake", "Sliver" ], "industries": [], "unique_indicators": 48691 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/3.141.75.29", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695734a30d2e512c757d1a8b", "name": "URLHaus data - 01-01-2026 (Part 3)", "description": "", "modified": "2026-02-01T02:03:59.852000", "created": "2026-01-02T02:59:47.826000", "tags": [ "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "hajime", "ps1", "arm", "mirai", "ua-wget", "CoinMiner", "Vidar", "ascii", "censys", "Encoded", "hex", "hex-loader", "sh", "botnetdomain", "opendir", "geofenced", "USA", "x86", "AsyncRAT", "lnk", "xml-opendir", "iframe", "fbf543", "exe", "stealer", "MaskGramStealer", "ClickFix", "ClickFix-cc", "payload", "vbs", "html", "OffLoader", "msi", "huntio", "ParallaxRAT", "Sliver", "siberguvenlik", "gafgyt", "rustystealer" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313, "domain": 1 }, "indicator_count": 314, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69571964819f87afc0635cd4", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T01:01:15.812000", "created": "2026-01-02T01:03:32.300000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570d3fa84e66695169d7fd", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:11:43.742000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69570e6c52da162b885bc40f", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-02", "description": "Automated ThreatFox hunt for Unknown malware indicators. 98 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-01T00:04:14.146000", "created": "2026-01-02T00:16:44.332000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695708eb70cd45cc6fa8af77", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 105 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T23:01:43.727000", "created": "2026-01-01T23:53:15.177000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956ed2fa2818e82b0808c0e", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T21:03:12.723000", "created": "2026-01-01T21:54:55.048000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6956d251baf896f0196e06ea", "name": "ThreatFox Hunt: Unknown malware IOCs - 2026-01-01", "description": "Automated ThreatFox hunt for Unknown malware indicators. 107 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-31T20:00:47.735000", "created": "2026-01-01T20:00:17.126000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 7, "domain": 1 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955b6aea7de19750cf24353", "name": "OSINT Volley 2025-12-31 - Unknown malware/GootLoader/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(85), GootLoader(27), AsyncRAT(18), Cobalt Strike(16), Lumma Stealer(13). Source: abuse.ch ThreatFox API. SSL enriched: 44 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T23:05:00.056000", "created": "2025-12-31T23:50:06.137000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "gootloader", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 56, "domain": 24, "URL": 24 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6955a192c753bf4dceb4553f", "name": "OSINT Volley 2025-12-31 - Unknown malware/ClearFake/GootLoader", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(86), ClearFake(32), GootLoader(24), AsyncRAT(19), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 46 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-30T22:03:30.045000", "created": "2025-12-31T22:20:02.035000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "gootloader", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 51, "domain": 24, "URL": 29 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://3.141.75.29/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://3.141.75.29/", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "censys", "ClickFix", "ClickFix-cc", "html" ], "date_added": "2026-01-01", "last_online": "2026-05-22", "reporter": "NDA0E", "host": "3.141.75.29", "payloads": [ { "filename": "6d34cd1629c8dbc240da1a167d2b960139c5234cc9c54fd90eaa621ca5ef220e.json", "file_type": "json", "md5": "a38f7a0179c97a217c2b22334b4c9b3f", "sha256": "6d34cd1629c8dbc240da1a167d2b960139c5234cc9c54fd90eaa621ca5ef220e", "signature": null, "first_seen": "2026-05-21" }, { "filename": "ddff0705286177f08bd069c2c6e92352f7891bd103bd7d28ea5875ca5b0a0a2e.json", "file_type": "json", "md5": "97f0663446a260a9f2a15a4cffa8d044", "sha256": "ddff0705286177f08bd069c2c6e92352f7891bd103bd7d28ea5875ca5b0a0a2e", "signature": null, "first_seen": "2026-05-21" }, { "filename": "dcf215a89a21706add58e6137cb7777a0c61710a2ad2e87fa88a34a0b8362cb4.json", "file_type": "json", "md5": "4e51217ed6c61a4666df34cf750c4a19", "sha256": "dcf215a89a21706add58e6137cb7777a0c61710a2ad2e87fa88a34a0b8362cb4", "signature": null, "first_seen": "2026-05-21" }, { "filename": "6dff2d28d89495645f86a7cc01dd7f6e2ff3bf50ebd3a47b843677ef78470bf5.json", "file_type": "json", "md5": "ccdf6563ed8ca810bac147408cb79b22", "sha256": "6dff2d28d89495645f86a7cc01dd7f6e2ff3bf50ebd3a47b843677ef78470bf5", "signature": null, "first_seen": "2026-05-21" }, { "filename": "026f24ec7afab32f26c3025f9fe7a8624eb76740d43d21012811e4a08f1b06be.json", "file_type": "json", "md5": "b713fd05072cf0f8ee67e09092396cc7", "sha256": "026f24ec7afab32f26c3025f9fe7a8624eb76740d43d21012811e4a08f1b06be", "signature": null, "first_seen": "2026-05-21" } ], "error": null }, "from_cache": true, "_cached_at": 1780497509.0197716 }