{ "type": "URL", "indicator": "https://8getobject.estaca.ru", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://8getobject.estaca.ru", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4073390754, "indicator": "https://8getobject.estaca.ru", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "684150f8ab8fe1229def2bea", "name": "Analysis of the APT-C-53 (Gamaredon) organization's attack operations.", "description": "APT-C-53, also known as Gamaredon, is a persistent advanced persistent threat group that has been operational since 2013, primarily targeting government and military sectors to acquire intelligence. Recent activities indicate that Gamaredon is not diminishing despite ongoing disclosures of its methodologies by security vendors; rather, it appears to be escalating its attacks. The group predominantly utilizes malicious VBS scripts characterized by high obfuscation techniques, including code fragmentation and Base64 encoding, to enhance its evasion tactics. A notable aspect of their strategy involves using military-related themes in social engineering attempts, which helps lower the vigilance of potential victims and increases the likelihood of successful malware execution.", "modified": "2025-07-05T08:00:58.306000", "created": "2025-06-05T08:10:32.633000", "tags": [ "public", "temp", "appdata", "windowsresponby", "gamaredon", "windowsdetect", "windowstelegra", "https", "aptc53gamaredon", "ocwstwz5hzufor", "cookie" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "public": 1, "adversary": "APT-C-53", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 1, "URL": 48, "hostname": 36 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT-C-53" ], "malware_families": [ "" ], "industries": [], "unique_indicators": 91 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/estaca.ru", "whois": "http://whois.domaintools.com/estaca.ru", "domain": "estaca.ru", "hostname": "8getobject.estaca.ru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "684150f8ab8fe1229def2bea", "name": "Analysis of the APT-C-53 (Gamaredon) organization's attack operations.", "description": "APT-C-53, also known as Gamaredon, is a persistent advanced persistent threat group that has been operational since 2013, primarily targeting government and military sectors to acquire intelligence. Recent activities indicate that Gamaredon is not diminishing despite ongoing disclosures of its methodologies by security vendors; rather, it appears to be escalating its attacks. The group predominantly utilizes malicious VBS scripts characterized by high obfuscation techniques, including code fragmentation and Base64 encoding, to enhance its evasion tactics. A notable aspect of their strategy involves using military-related themes in social engineering attempts, which helps lower the vigilance of potential victims and increases the likelihood of successful malware execution.", "modified": "2025-07-05T08:00:58.306000", "created": "2025-06-05T08:10:32.633000", "tags": [ "public", "temp", "appdata", "windowsresponby", "gamaredon", "windowsdetect", "windowstelegra", "https", "aptc53gamaredon", "ocwstwz5hzufor", "cookie" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247506191&idx=1&sn=89db49b84b7462bbf8731dbcc787e8c4&chksm=f9c1ea06ceb6631006eec73a1129db88dcbce705fd5bbfefe4eba48b5d4db5ed5017e34c9669&scene=178&cur_album_id=1955835290309230595&search_click_id=&poc_token=HGZOQWijOCtBLbeOZNmKXb_11l0WZ77aAMufwFqO" ], "public": 1, "adversary": "APT-C-53", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.002", "name": "Right-to-Left Override", "display_name": "T1036.002 - Right-to-Left Override" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 1, "URL": 48, "hostname": 36 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://8getobject.estaca.ru", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://8getobject.estaca.ru", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780489778.666077 }