{ "type": "URL", "indicator": "https://94.141.122.173/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://94.141.122.173/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4184741688, "indicator": "https://94.141.122.173/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d7f5ee095dbef6a5596a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T20:00:48.797000", "created": "2026-01-23T20:20:05.279000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 23, "hostname": 24 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d0ec811c1eba11d727de", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T19:00:34.876000", "created": "2026-01-23T19:50:04.852000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 33, "hostname": 25 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973bbdc7ede58bf5c5684cd", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:20:12.183000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 25, "domain": 6 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973c2ddf1a3c59e50cf733a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:50:05.240000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 33, "hostname": 25, "domain": 6 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973adc4080817b837ceeacf", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T17:02:53.014000", "created": "2026-01-23T17:20:04.696000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "URL": 44, "domain": 6 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69739fb48d49d70962fd560e", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Phorpiex(39), Nitrogen Ransomware(36), Vidar(35), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T16:03:28.882000", "created": "2026-01-23T16:20:04.087000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 46, "domain": 6, "hostname": 20 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973a6bd71022ddec5b7d1e0", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Phorpiex(39), Nitrogen Ransomware(36), Vidar(35), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T16:03:28.882000", "created": "2026-01-23T16:50:05.020000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 46, "domain": 6, "hostname": 20 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697391a4ffe47972f3bbfedf", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(106), Vidar(53), Unknown malware(47), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T15:03:09.278000", "created": "2026-01-23T15:20:04.352000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 5, "hostname": 19 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697398ac1dc2aec2bf2a326c", "name": "OSINT Volley 2026-01-23 - Meterpreter/Unknown malware/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(106), Unknown malware(47), Phorpiex(39), Nitrogen Ransomware(36), Vidar(35). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T15:03:09.278000", "created": "2026-01-23T15:50:04.561000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "domain": 5, "hostname": 19 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973839523a26c1c5e90f735", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(106), Vidar(53), Unknown malware(47), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T14:04:54.694000", "created": "2026-01-23T14:20:05.338000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 19, "URL": 60, "domain": 5 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697375837501ee23859cc904", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(106), Vidar(53), Unknown malware(47), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T13:02:36.927000", "created": "2026-01-23T13:20:03.786000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 19, "URL": 57, "domain": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69737c8abd917df4057c0f65", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(106), Vidar(53), Unknown malware(47), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T13:02:36.927000", "created": "2026-01-23T13:50:02.166000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 19, "URL": 57, "domain": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973677841845d23a9210828", "name": "OSINT Volley 2026-01-23 - Meterpreter/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown malware(97), Vidar(55), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T12:03:08.101000", "created": "2026-01-23T12:20:08.133000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 17, "URL": 57, "domain": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69736e7ef99f826a352b5f08", "name": "OSINT Volley 2026-01-23 - Meterpreter/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(100), Unknown malware(97), Vidar(55), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 18 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T12:03:08.101000", "created": "2026-01-23T12:50:06.579000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 17, "URL": 57, "domain": 3 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69735964587c58379e16f7f6", "name": "OSINT Volley 2026-01-23 - Unknown malware/Meterpreter/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(96), Meterpreter(81), Vidar(55), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T11:02:45.266000", "created": "2026-01-23T11:20:04.445000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "hostname": 15, "domain": 3 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973606def937343c26b6cbd", "name": "OSINT Volley 2026-01-23 - Unknown malware/Meterpreter/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(96), Meterpreter(81), Vidar(55), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 16 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T11:02:45.266000", "created": "2026-01-23T11:50:05.419000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 57, "domain": 3 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69735260888ae354f3e86c28", "name": "OSINT Volley 2026-01-23 - Unknown malware/Meterpreter/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(98), Meterpreter(81), Vidar(55), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 17 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T10:02:23.104000", "created": "2026-01-23T10:50:08.281000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "hostname": 15, "domain": 3 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69733d431e0a57e9e8fb9e8d", "name": "OSINT Volley 2026-01-23 - Unknown malware/Meterpreter/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(98), Meterpreter(81), Vidar(66), Phorpiex(39), Nitrogen Ransomware(36). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T09:00:07.007000", "created": "2026-01-23T09:20:03.042000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 9, "URL": 63, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69733f64067659cdd28d2b30", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 26 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T09:00:07.007000", "created": "2026-01-23T09:29:08.007000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "hostname": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69748c762eba01d6f9694797", "name": "PreCog Sweep - 2026-01-24 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T09:10:14.238000", "created": "2026-01-24T09:10:14.238000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "domain": 88, "hostname": 117 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69748a1d4ebc27a11704321a", "name": "PreCog Sweep - 2026-01-24 09h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T09:00:13.775000", "created": "2026-01-24T09:00:13.775000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 43, "domain": 88, "hostname": 117 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697487c588434ebdce930dd4", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:50:13.900000", "created": "2026-01-24T08:50:13.900000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "domain": 87, "hostname": 116 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974856ca1df16be8017d2ae", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:40:12.932000", "created": "2026-01-24T08:40:12.932000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "domain": 87, "hostname": 116 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974831702788548d36d720d", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:30:15.006000", "created": "2026-01-24T08:30:15.006000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "domain": 87, "hostname": 116 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697480be9d4fc8f5ee0aa903", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:20:14.431000", "created": "2026-01-24T08:20:14.431000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "domain": 87, "hostname": 116 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69747e66ad8044adea92d117", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:10:13.989000", "created": "2026-01-24T08:10:13.989000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 86, "URL": 43, "hostname": 118 }, "indicator_count": 247, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69747c0e255d24ab024f642e", "name": "PreCog Sweep - 2026-01-24 08h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T08:00:14.743000", "created": "2026-01-24T08:00:14.743000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 69, "URL": 83, "hostname": 106 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697479b591bca578e9d30faa", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:50:13.099000", "created": "2026-01-24T07:50:13.099000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67, "URL": 83, "hostname": 105 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974775e8e5909a14c4a6085", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:40:14.330000", "created": "2026-01-24T07:40:14.330000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67, "URL": 83, "hostname": 105 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697475067017b7e09c341e6c", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:30:14.450000", "created": "2026-01-24T07:30:14.450000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 83, "hostname": 103, "domain": 69 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697472aee70f738f30689d21", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:20:14.956000", "created": "2026-01-24T07:20:14.956000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 83, "hostname": 103, "domain": 69 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69747057d008cbfb9d00e867", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:10:15.625000", "created": "2026-01-24T07:10:15.625000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 68 }, "indicator_count": 255, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69746dfe7502c665758de89d", "name": "PreCog Sweep - 2026-01-24 07h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T07:00:14.418000", "created": "2026-01-24T07:00:14.418000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 72 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69746ba5139cb0c96d66652e", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:50:13.717000", "created": "2026-01-24T06:50:13.717000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 72 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974694d40d01085583543a1", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:40:13.284000", "created": "2026-01-24T06:40:13.284000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 73 }, "indicator_count": 260, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697466f619ea671992374a67", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:30:14.344000", "created": "2026-01-24T06:30:14.344000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 73 }, "indicator_count": 260, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974649e8a013374edaae0a2", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:20:14.373000", "created": "2026-01-24T06:20:14.373000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 73 }, "indicator_count": 260, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69746246bd0fd52f6bb9d183", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:10:14.270000", "created": "2026-01-24T06:10:14.270000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 103, "domain": 73 }, "indicator_count": 260, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69745fee8745aee95852ad29", "name": "PreCog Sweep - 2026-01-24 06h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T06:00:14.517000", "created": "2026-01-24T06:00:14.517000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69745d9624d37e45174c6175", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:50:14.140000", "created": "2026-01-24T05:50:14.140000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69745b3e18bc9ec6227af4d7", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:40:14.481000", "created": "2026-01-24T05:40:14.481000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697458e65dbbb9fbda3bc5c0", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:30:14.042000", "created": "2026-01-24T05:30:14.042000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974568d36bac17a70bce20a", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:20:13.683000", "created": "2026-01-24T05:20:13.683000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974543606a36aa4aab76bb3", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:10:14.010000", "created": "2026-01-24T05:10:14.010000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697451debd7d6e548e9e0767", "name": "PreCog Sweep - 2026-01-24 05h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T05:00:14.590000", "created": "2026-01-24T05:00:14.590000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69744f8615b5cc2bbc5a9112", "name": "PreCog Sweep - 2026-01-24 04h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T04:50:14.062000", "created": "2026-01-24T04:50:14.062000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69744d2e956b954a1f73fb11", "name": "PreCog Sweep - 2026-01-24 04h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T04:40:14.498000", "created": "2026-01-24T04:40:14.498000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "hostname": 102, "domain": 73 }, "indicator_count": 259, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/pduggusa/dugganusa-research", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch", "https://analytics.dugganusa.com/api/v1/stix/master" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Nitrogen ransomware", "Qilin", "Unknown malware", "Vidar", "Phorpiex", "Meterpreter", "Ghost rat", "Ransomhub", "Asyncrat" ], "industries": [], "unique_indicators": 4934 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/94.141.122.173", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d7f5ee095dbef6a5596a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T20:00:48.797000", "created": "2026-01-23T20:20:05.279000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 23, "hostname": 24 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d0ec811c1eba11d727de", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T19:00:34.876000", "created": "2026-01-23T19:50:04.852000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 33, "hostname": 25 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973bbdc7ede58bf5c5684cd", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:20:12.183000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 25, "domain": 6 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973c2ddf1a3c59e50cf733a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:50:05.240000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 33, "hostname": 25, "domain": 6 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973adc4080817b837ceeacf", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T17:02:53.014000", "created": "2026-01-23T17:20:04.696000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "URL": 44, "domain": 6 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69739fb48d49d70962fd560e", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Phorpiex(39), Nitrogen Ransomware(36), Vidar(35), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T16:03:28.882000", "created": "2026-01-23T16:20:04.087000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 46, "domain": 6, "hostname": 20 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973a6bd71022ddec5b7d1e0", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Phorpiex(39), Nitrogen Ransomware(36), Vidar(35), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T16:03:28.882000", "created": "2026-01-23T16:50:05.020000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 46, "domain": 6, "hostname": 20 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://94.141.122.173/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://94.141.122.173/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780445779.7321818 }