{ "type": "URL", "indicator": "https://3.89.221.73/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://3.89.221.73/", "type": "url", "type_title": "URL", "validation": [ { "source": "cloud", "message": "In cloud provider range: provider=AWS", "name": "Cloud Provider IP range" } ], "base_indicator": { "id": 4169749560, "indicator": "https://3.89.221.73/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6953075fca5a8e39827bb966", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 138 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T22:01:33.206000", "created": "2025-12-29T22:57:35.780000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951d20b67c888e6553e1085", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 158 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-29T00:57:46.980000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 1, "hostname": 3 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69514aa13c6d10acf20d784d", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(104), Unknown malware(86), DragonForce(34), AsyncRAT(29), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:20:01.380000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695151ace7d644422bdc8da9", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(101), Unknown malware(86), DragonForce(34), AsyncRAT(33), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:50:04.165000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 38, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69513c93285c03e79484f987", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(110), Unknown malware(86), DragonForce(34), AsyncRAT(25), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:20:03.878000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951439ca9f0662d5e7e24be", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(107), Unknown malware(86), DragonForce(34), AsyncRAT(27), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:50:04.576000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69512e81f84cdfc640becaf7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(116), Unknown malware(82), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:20:01.949000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951358c294b652c16aa50d0", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(117), Unknown malware(91), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:50:04.190000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951207341c2f26f6931714f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(124), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 51 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:20:03.629000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951277d62fff969ebbcde03", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:50:05.587000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695112611441ca6345ba912a", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(127), Unknown malware(103), DragonForce(34), AsyncRAT(23), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T11:01:33.797000", "created": "2025-12-28T11:20:01.868000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 52, "URL": 29, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951196bd2076fc12fcec26b", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(104), DragonForce(34), AsyncRAT(23), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T11:01:33.797000", "created": "2025-12-28T11:50:03.366000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 31, "hostname": 52, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69510b5b787f5a67dd4b035f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(129), Unknown malware(100), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T10:03:29.705000", "created": "2025-12-28T10:50:03.580000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 29, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950fd4ddc5c4a0b38fbbde7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(129), Unknown malware(100), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T09:03:11.977000", "created": "2025-12-28T09:50:05.854000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "hostname": 49, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 128, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950e83be370ec01c77dcce4", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(125), Unknown malware(95), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T08:00:32.278000", "created": "2025-12-28T08:20:11.876000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 55, "URL": 24, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950ef3ba2712e4e554a960b", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(95), DragonForce(34), AsyncRAT(21), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T08:00:32.278000", "created": "2025-12-28T08:50:03.209000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "hostname": 55, "URL": 24, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950da222fd02dab3e101308", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(110), DragonForce(34), Aisuru(17), AsyncRAT(15). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 4 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T07:03:09.395000", "created": "2025-12-28T07:20:02.475000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950e12c039bd271c4a3565e", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(125), Unknown malware(108), DragonForce(34), AsyncRAT(18), Cobalt Strike(15). Source: abuse.ch ThreatFox API. SSL enriched: 62 IPs with HTTPS, 4 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T07:03:09.395000", "created": "2025-12-28T07:50:04.253000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 41, "hostname": 64, "URL": 23 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950cc17f8acacb52e4cd56f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(123), Unknown malware(123), DragonForce(34), AsyncRAT(25), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 74 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T06:01:48.503000", "created": "2025-12-28T06:20:07.409000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950d31c7cfd6fd9f3186008", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(123), ClearFake(121), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T06:01:48.503000", "created": "2025-12-28T06:50:04.758000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "domain": 3, "URL": 23, "FileHash-MD5": 28 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950be031d8191485f08ff60", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(120), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T05:04:33.803000", "created": "2025-12-28T05:20:03.469000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 72, "domain": 2, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950c50b44f0346b6ad2fcaa", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(123), ClearFake(121), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T05:04:33.803000", "created": "2025-12-28T05:50:03.654000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "hostname": 69, "domain": 2, "FileHash-MD5": 38 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950aff45187f933403527f9", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(122), ClearFake(119), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T04:01:00.426000", "created": "2025-12-28T04:20:04.179000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "domain": 3, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950b6fc910ebd20c634e613", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(120), DragonForce(34), AsyncRAT(23), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 73 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T04:01:00.426000", "created": "2025-12-28T04:50:04.423000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 72, "domain": 2, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950a8f05435f15faa95c540", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T03:04:02.635000", "created": "2025-12-28T03:50:08.065000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "domain": 3, "URL": 15, "FileHash-MD5": 41 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695093d4bfeffbcd169db5f5", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(117), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T02:04:15.895000", "created": "2025-12-28T02:20:04.231000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69509adc0cf219b0eee791e0", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Cobalt Strike(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T02:04:15.895000", "created": "2025-12-28T02:50:03.999000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695085c1bf416e4bcf91a206", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(115), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T01:03:59.487000", "created": "2025-12-28T01:20:01.907000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69508ccdb2c137102a10265a", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(121), ClearFake(119), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T01:03:59.487000", "created": "2025-12-28T01:50:05.047000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 71, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695077b39161b824609550ba", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(117), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T00:02:33.436000", "created": "2025-12-28T00:20:03.676000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69507eb947d30fef12c60b01", "name": "OSINT Volley 2025-12-28 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(120), ClearFake(115), DragonForce(34), AsyncRAT(25), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 69 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T00:02:33.436000", "created": "2025-12-28T00:50:01.833000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 73, "URL": 10, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950684142402dd3c4dc16ce", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(115), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:14:09.196000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695069a144239720870fde0c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(113), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:20:01.909000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695070a923f7e9425c1254fd", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(124), ClearFake(113), DragonForce(34), AsyncRAT(24), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 72 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T23:00:27.731000", "created": "2025-12-27T23:50:01.704000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 15, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695056ec3ae0b10f94c84e9d", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:00:12.519000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69505b9153643c2cbefd8891", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:20:01.435000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950629920fe3a3c4fde074d", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(117), ClearFake(115), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T22:03:23.463000", "created": "2025-12-27T22:50:01.370000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 84, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 152, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69504d813a63dbf11baa956f", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(115), ClearFake(113), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:20:01.057000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 83, "URL": 23, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950548ce3cf60cd8b2e0e26", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:50:04.286000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 2, "hostname": 80, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695055a7c548b334d2897929", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:54:47.330000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 2, "hostname": 80, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695056247ac4ea100d0e129b", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(111), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T21:01:47.644000", "created": "2025-12-27T21:56:52.886000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 25, "domain": 2, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69503f73b0fb14822bdcb0c7", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(116), ClearFake(99), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T20:01:15.477000", "created": "2025-12-27T20:20:03.757000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 24, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950467d077e7fcb4aa40401", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(115), ClearFake(103), DragonForce(34), AsyncRAT(22), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T20:01:15.477000", "created": "2025-12-27T20:50:05.059000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 81, "URL": 23, "FileHash-MD5": 41, "domain": 1 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69502e34366c47ecca7e1e1a", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(98), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:06:28.187000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 22, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 143, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69503161c3e65948c7a1f8ee", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(96), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:20:01.584000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 79, "URL": 22, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950386bd38d7679f5e5007c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(110), ClearFake(101), DragonForce(34), AsyncRAT(21), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T19:04:47.512000", "created": "2025-12-27T19:50:03.829000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "URL": 23, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950270f366ea08035ce68a4", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:35:59.795000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6950281eb4afb02cd8608e7c", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:40:30.594000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695028ee3ec197226e39102a", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 65 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:43:58.561000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "URL": 22, "FileHash-MD5": 41, "domain": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695029a7d9fe81d44461efe1", "name": "OSINT Volley 2025-12-27 - Unknown malware/ClearFake/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(109), ClearFake(100), DragonForce(34), AsyncRAT(23), Aisuru(17). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-26T18:04:20.395000", "created": "2025-12-27T18:47:03.107000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "clearfake", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 79, "URL": 22, "FileHash-MD5": 41, "domain": 2 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://threatfox.abuse.ch", "https://analytics.dugganusa.com/api/v1/stix-feed/v2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Aisuru", "Asyncrat", "Cobalt strike", "Dragonforce", "Meterpreter", "Clearfake", "Unknown malware" ], "industries": [], "unique_indicators": 545 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/3.89.221.73", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6953075fca5a8e39827bb966", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 138 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T22:01:33.206000", "created": "2025-12-29T22:57:35.780000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951d20b67c888e6553e1085", "name": "ThreatFox Hunt: Unknown malware IOCs - 2025-12-29", "description": "Automated ThreatFox hunt for Unknown malware indicators. 158 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-29T00:57:46.980000", "tags": [ "unknown-malware", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "unattributed" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 1, "hostname": 3 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69514aa13c6d10acf20d784d", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(104), Unknown malware(86), DragonForce(34), AsyncRAT(29), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:20:01.380000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "695151ace7d644422bdc8da9", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(101), Unknown malware(86), DragonForce(34), AsyncRAT(33), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T15:00:42.751000", "created": "2025-12-28T15:50:04.165000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 38, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69513c93285c03e79484f987", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(110), Unknown malware(86), DragonForce(34), AsyncRAT(25), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:20:03.878000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951439ca9f0662d5e7e24be", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(107), Unknown malware(86), DragonForce(34), AsyncRAT(27), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T14:03:17.778000", "created": "2025-12-28T14:50:04.576000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69512e81f84cdfc640becaf7", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(116), Unknown malware(82), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 49 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:20:01.949000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 135, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951358c294b652c16aa50d0", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(117), Unknown malware(91), DragonForce(34), AsyncRAT(24), Meterpreter(16). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T13:05:51.798000", "created": "2025-12-28T13:50:04.190000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 58, "URL": 40, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951207341c2f26f6931714f", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(124), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 51 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:20:03.629000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6951277d62fff969ebbcde03", "name": "OSINT Volley 2025-12-28 - ClearFake/Unknown malware/DragonForce", "description": "Automated OSINT sweep from ThreatFox. Top malware: ClearFake(121), Unknown malware(100), DragonForce(34), AsyncRAT(24), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 50 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-01-27T12:03:09.642000", "created": "2025-12-28T12:50:05.587000", "tags": [ "osint-volley", "threatfox", "automated", "clearfake", "unknown-malware", "dragonforce", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "DragonForce", "display_name": "DragonForce", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49, "URL": 32, "domain": 9, "FileHash-MD5": 41 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://3.89.221.73/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://3.89.221.73/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780535820.6896067 }