{ "type": "URL", "indicator": "https://9.9.9.11/dns-query'", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://9.9.9.11/dns-query'", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4157557678, "indicator": "https://9.9.9.11/dns-query'", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "698cdb84ae20a3f815a4e837", "name": "BRICKSTORM combined indicators from STIX YAML 12042025, 12182025, 02112026, AR25_338A-SIGMA", "description": "Combined indicators from BRICKSTORM https://www.cisa.gov/news-events/analysis-reports/ar25-338a?utm_source=BRICKSTORMMARUpdate&utm_medium=GovDelivery", "modified": "2026-03-13T19:06:44.570000", "created": "2026-02-11T19:41:56.469000", "tags": [ "cisa code", "media analysis", "devnull", "readme", "edit", "ensure", "andor condition", "sigma rule", "tlp green", "please", "agent", "brickstorm" ], "references": [ "AA25-239A-Countering-Chinese-State-Sponsored-Actors-Compromise-of-Networks-Worldwide-to-Feed-Global-Espionage-System.stix_.xml", "MAR-251165.c1.v1.CLEAR_stix2.json", "MAR-251217.r1.v1.CLEAR_stix2.json", "MAR-261234.r1.v1.CLEAR_stix2.json", "CMA_SIGMA_251157_r2_BRICKSTORM_Activity_TLP_CLEAR_1.yaml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ri-info-sec", "id": "183", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 22, "URL": 11, "YARA": 7, "domain": 1, "email": 1, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69525d4962014a689dcbfc54", "name": "BRICKSTORM Backdoor", "description": "BRICKSTORM is a backdoor malware identified as being utilized by state-sponsored cyber actors from the People's Republic of China (PRC) to gain long-term access to victim systems. Both the Cybersecurity and Infrastructure Security Agency (CISA) and its partner organizations have provided detailed insights into this malware, based on analyses of multiple samples. The malware is categorized as a custom Executable and Linkable Format (ELF) backdoor, built predominantly with Go, with updates included for additional samples by late December 2025.\n\nThe initial access vector for BRICKSTORM involved exploiting a web server within a victim's demilitarized zone (DMZ), where attackers used a web shell-indicative of the technique T1505.003-to infiltrate the organization. Following this, they elevated their privileges with the sudo command (T1548.003) and established persistence by placing the malware in the system's /etc/sysconfig/ directory, configuring the init file to ensure the malware executes upon system boot.", "modified": "2026-01-28T10:02:43.646000", "created": "2025-12-29T10:51:53.195000", "tags": [ "sponsored cyber", "samples", "json", "brickstorm espionage", "response brickstorm", "stealthy", "brickstorm" ], "references": [ "https://www.cisa.gov/sites/default/files/2025-12/AR25-338A_Malware_Analysis_Report_Brickstorm_Backdoor.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "display_name": "T1574.007 - Path Interception by PATH Environment Variable" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Critical Infrastructure", "Information Technology" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 21, "URL": 4 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6932537ef99ae14b4eceb539", "name": "How BrickStorm Hid Inside Virtual Machines for Years", "description": "The CISA cybersecurity and Infrastructure Security Agency (CISA) has released a report on the use of malware by Chinese state-sponsored cyber actors, which could lead to the release of a new report.", "modified": "2026-01-04T03:03:01.624000", "created": "2025-12-05T03:37:34.493000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json", "command handler", "handler", "response brickstorm", "stealthy" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null }, { "id": "Response BRICKSTORM", "display_name": "Response BRICKSTORM", "target": null }, { "id": "Stealthy", "display_name": "Stealthy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Government", "Critical Infrastructure", "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 6, "email": 1, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6931cb1a55e4052a725eaf35", "name": "BRICKSTORM Backdoor | CISA", "description": "The CISA cybersecurity and Infrastructure Security Agency (CISA) has released a report on the use of malware by Chinese state-sponsored cyber actors, which could lead to the release of a new report.", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-04T17:55:38.148000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69365a12e6f7f7d2cb74e8bc", "name": "BRICKSTORM Backdoor | CISA", "description": "", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-08T04:54:42.595000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6931cb1a55e4052a725eaf35", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694f6ee5f0dc7775adcc754b", "name": "BRICKSTORM Backdoor | CISA [by Tr1sa111]", "description": "", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-27T05:30:13.985000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "69365a12e6f7f7d2cb74e8bc", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.cisa.gov/sites/default/files/2025-12/AR25-338A_Malware_Analysis_Report_Brickstorm_Backdoor.pdf", "Book1.csv", "MAR-251217.r1.v1.CLEAR_stix2.json", "AA25-239A-Countering-Chinese-State-Sponsored-Actors-Compromise-of-Networks-Worldwide-to-Feed-Global-Espionage-System.stix_.xml", "MAR-261234.r1.v1.CLEAR_stix2.json", "https://www.cisa.gov/news-events/analysis-reports/ar25-338a", "CMA_SIGMA_251157_r2_BRICKSTORM_Activity_TLP_CLEAR_1.yaml", "MAR-251165.c1.v1.CLEAR_stix2.json" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex" ], "malware_families": [ "Stealthy", "Sponsored cyber", "Brickstorm", "Brickstorm espionage", "Json", "Response brickstorm" ], "industries": [ "Information technology", "Critical infrastructure", "Government" ], "unique_indicators": 1989 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/9.9.9.11", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "698cdb84ae20a3f815a4e837", "name": "BRICKSTORM combined indicators from STIX YAML 12042025, 12182025, 02112026, AR25_338A-SIGMA", "description": "Combined indicators from BRICKSTORM https://www.cisa.gov/news-events/analysis-reports/ar25-338a?utm_source=BRICKSTORMMARUpdate&utm_medium=GovDelivery", "modified": "2026-03-13T19:06:44.570000", "created": "2026-02-11T19:41:56.469000", "tags": [ "cisa code", "media analysis", "devnull", "readme", "edit", "ensure", "andor condition", "sigma rule", "tlp green", "please", "agent", "brickstorm" ], "references": [ "AA25-239A-Countering-Chinese-State-Sponsored-Actors-Compromise-of-Networks-Worldwide-to-Feed-Global-Espionage-System.stix_.xml", "MAR-251165.c1.v1.CLEAR_stix2.json", "MAR-251217.r1.v1.CLEAR_stix2.json", "MAR-261234.r1.v1.CLEAR_stix2.json", "CMA_SIGMA_251157_r2_BRICKSTORM_Activity_TLP_CLEAR_1.yaml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ri-info-sec", "id": "183", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 22, "URL": 11, "YARA": 7, "domain": 1, "email": 1, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69525d4962014a689dcbfc54", "name": "BRICKSTORM Backdoor", "description": "BRICKSTORM is a backdoor malware identified as being utilized by state-sponsored cyber actors from the People's Republic of China (PRC) to gain long-term access to victim systems. Both the Cybersecurity and Infrastructure Security Agency (CISA) and its partner organizations have provided detailed insights into this malware, based on analyses of multiple samples. The malware is categorized as a custom Executable and Linkable Format (ELF) backdoor, built predominantly with Go, with updates included for additional samples by late December 2025.\n\nThe initial access vector for BRICKSTORM involved exploiting a web server within a victim's demilitarized zone (DMZ), where attackers used a web shell-indicative of the technique T1505.003-to infiltrate the organization. Following this, they elevated their privileges with the sudo command (T1548.003) and established persistence by placing the malware in the system's /etc/sysconfig/ directory, configuring the init file to ensure the malware executes upon system boot.", "modified": "2026-01-28T10:02:43.646000", "created": "2025-12-29T10:51:53.195000", "tags": [ "sponsored cyber", "samples", "json", "brickstorm espionage", "response brickstorm", "stealthy", "brickstorm" ], "references": [ "https://www.cisa.gov/sites/default/files/2025-12/AR25-338A_Malware_Analysis_Report_Brickstorm_Backdoor.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "display_name": "T1574.007 - Path Interception by PATH Environment Variable" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Government", "Critical Infrastructure", "Information Technology" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 21, "URL": 4 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6932537ef99ae14b4eceb539", "name": "How BrickStorm Hid Inside Virtual Machines for Years", "description": "The CISA cybersecurity and Infrastructure Security Agency (CISA) has released a report on the use of malware by Chinese state-sponsored cyber actors, which could lead to the release of a new report.", "modified": "2026-01-04T03:03:01.624000", "created": "2025-12-05T03:37:34.493000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json", "command handler", "handler", "response brickstorm", "stealthy" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null }, { "id": "Response BRICKSTORM", "display_name": "Response BRICKSTORM", "target": null }, { "id": "Stealthy", "display_name": "Stealthy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [ "Government", "Critical Infrastructure", "Information Technology" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 6, "email": 1, "hostname": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6931cb1a55e4052a725eaf35", "name": "BRICKSTORM Backdoor | CISA", "description": "The CISA cybersecurity and Infrastructure Security Agency (CISA) has released a report on the use of malware by Chinese state-sponsored cyber actors, which could lead to the release of a new report.", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-04T17:55:38.148000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69365a12e6f7f7d2cb74e8bc", "name": "BRICKSTORM Backdoor | CISA", "description": "", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-08T04:54:42.595000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6931cb1a55e4052a725eaf35", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694f6ee5f0dc7775adcc754b", "name": "BRICKSTORM Backdoor | CISA [by Tr1sa111]", "description": "", "modified": "2026-01-03T17:00:17.417000", "created": "2025-12-27T05:30:13.985000", "tags": [ "strong", "brickstorm", "sample", "cisa", "c2 server", "vmware", "table", "web service", "cyber centre", "google", "entropy", "april", "malware", "tools", "tech", "local", "sector", "download", "format", "icmp", "agent", "powershell", "hypervisor", "scroll", "launch", "kali", "sponsored cyber", "brickstorm espionage", "json" ], "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar25-338a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sponsored Cyber", "display_name": "Sponsored Cyber", "target": null }, { "id": "BRICKSTORM Espionage", "display_name": "BRICKSTORM Espionage", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "BRICKSTORM", "display_name": "BRICKSTORM", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "69365a12e6f7f7d2cb74e8bc", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 12, "URL": 5, "email": 1, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://9.9.9.11/dns-query'", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://9.9.9.11/dns-query'", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780205706.3335307 }