{ "type": "URL", "indicator": "https://adobe-us-updatefiles.digital/index.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://adobe-us-updatefiles.digital/index.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3784485395, "indicator": "https://adobe-us-updatefiles.digital/index.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "655de81a14bc690453688560", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "CISA reports that Lockbit 3.0 affiliates are leveraging CVE 2023-4966 (Citrix Bleed) to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-22T11:38:01.453000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 467, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386556, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ce8795f74ccdc8a4ad972f", "name": "Home | Sanselo | Realizare site web \u0219i aplica\u021bii de mobil", "description": "Aplica\u021bii mobile, \u00c2\u00a31bn, \u00e2\u201a\u00ac1.5bn \u00e2\u20ac\u00b5\u00a6 \u00c3\u20ac\u201c \u00f4l iau i'r iddo.", "modified": "2025-05-14T21:14:50.899000", "created": "2024-08-28T02:12:37.280000", "tags": [ "sanselo", "i aplicaii", "home", "realizare site", "servicii web", "mobile app", "contact blog", "selecteaz", "pagin", "future", "adres url", "ipv4", "ccro asnas39668", "intersat srl", "rola", "url http", "odcisk palca" ], "references": [ "https://sanselo.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "URL": 1533, "domain": 150, "email": 2, "hostname": 471, "FileHash-MD5": 236, "FileHash-SHA1": 141, "FileHash-SHA256": 979, "SSLCertFingerprint": 4 }, "indicator_count": 3527, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f71c8324e5867aac6c2d30", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "", "modified": "2025-05-10T01:01:10.390000", "created": "2025-04-10T01:18:59.600000", "tags": [ "strong", "cisa", "lockbit", "citrix bleed", "netscaler adc", "iocs", "cve20234966", "mitre att", "powershell", "stopransomware", "psexec", "sector", "tools", "anydesk", "impacket", "enterprise", "hunt", "lsass", "cyber", "local", "download", "august", "malware", "legend", "adrecon", "plink", "service", "open", "import", "restrict", "upgrade", "protect", "ransomware", "mcafee", "ghost" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CTIwangus", "id": "186095", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 8, "URL": 5, "domain": 3, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "386 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c55ae268b5c4556694db9f", "name": "CapsaciPhone.com | Found in Denver Recording Studio Domain", "description": "Emotet,\nLockBit,\nMakop,\nRedLine Stealer,", "modified": "2024-03-09T22:05:06.644000", "created": "2024-02-08T22:51:14.111000", "tags": [ "contacted", "december", "dropped", "cymulate", "url collection", "execution", "ssl certificate", "roundup", "threat roundup", "unknown", "a domains", "domain", "creation date", "search", "tnhh quan", "dau tu", "dat ngoc", "date", "showing", "body", "next", "nxdomain", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info", "email", "code", "server", "registrar abuse", "available from", "country", "cong ty", "porn", "referrer", "whois record", "historical ssl", "resolutions", "urls http", "malware", "lockbit", "makop", "redline stealer", "core", "iframe", "whois whois", "maliciosa", "relacionada con", "january", "february", "attack", "bitrat", "hacktool", "malicious", "emotet", "wide" ], "references": [ "capsaciphone.com", "nr-data.net. [Apple Private Data Collection]", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "www.pornhub.com [iOS password decryption]", "www.anyxxxtube.net", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "golddesisex.com", "websexgay.net", "http://golddesisex.com/en/search/xxx-bloody-hymen", "http://golddesisex.com/en/search/boob-licking-gifs", "http://173.255.214.126:8080/oMhELssex", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "Found in https://side3.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 939, "URL": 5397, "FileHash-MD5": 78, "FileHash-SHA1": 78, "FileHash-SHA256": 2224, "hostname": 1294, "email": 3, "CVE": 3 }, "indicator_count": 10016, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ef901b6ecadcce5663ac4", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-23T07:02:25.982000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655de81a14bc690453688560", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655efd6804d4d876d841f705", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-23T07:21:12.319000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655ef901b6ecadcce5663ac4", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656acc003ddc30963eb69a17", "name": "test", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-12-02T06:17:36.789000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655de81a14bc690453688560", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MG_MPGSOC", "id": "263709", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d7398a2130d2fbc1d6e7a", "name": "AA23-325A Citrix Bleed Lockbit Ransomware Exploit CVE 2023-4966", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate\u2019s Australian Cyber Security Center (ASD\u2019s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.", "modified": "2023-12-22T03:04:13.242000", "created": "2023-11-22T03:20:56.803000", "tags": [ "cisa1047891501", "cisa code", "media analysis", "detects trojan", "cisa1047891502", "pe32" ], "references": [ "https://www.cisa.gov/sites/default/files/2023-11/AA23-325A.stix_.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "healeywap", "id": "217398", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 45, "URL": 64, "hostname": 23, "domain": 51 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655cd810f251f982bbed7b6e", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "Ransomware is a growing threat to networks, but how do you protect against it and what can you know about the latest threat? \u00c2\u00a32.5m worth of ransomware has been discovered on a Boeing website.", "modified": "2023-12-21T16:04:29.917000", "created": "2023-11-21T16:17:20.724000", "tags": [ "cisa", "lockbit", "netscaler adc", "iocs", "cve20234966", "powershell", "ttps", "center", "mitre att", "citrix bleed", "anydesk", "enterprise", "lsass", "psexec", "august", "plink", "service", "restrict", "upgrade", "bleed", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Bleed", "display_name": "Bleed", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure", "Education", "Energy", "Financial Services", "Food", "Agriculture", "Government", "Healthcare", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "URL": 5, "YARA": 5, "domain": 3, "email": 1, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Found in https://side3.com", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a", "www.pornhub.com [iOS password decryption]", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "websexgay.net", "capsaciphone.com", "http://golddesisex.com/en/search/boob-licking-gifs", "http://173.255.214.126:8080/oMhELssex", "http://golddesisex.com/en/search/xxx-bloody-hymen", "www.anyxxxtube.net", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "golddesisex.com", "https://www.cisa.gov/sites/default/files/2023-11/AA23-325A.stix_.xml", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "https://sanselo.com/", "nr-data.net. [Apple Private Data Collection]" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lockbit" ], "industries": [], "unique_indicators": 34 }, "other": { "adversary": [], "malware_families": [ "Bleed", "Lockbit", "Makop", "Redline stealer", "Emotet", "Threat" ], "industries": [ "Food", "Government", "Transportation", "Manufacturing", "Agriculture", "Critical infrastructure", "Healthcare", "Education", "Energy", "Financial services" ], "unique_indicators": 13846 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/adobe-us-updatefiles.digital", "whois": "http://whois.domaintools.com/adobe-us-updatefiles.digital", "domain": "adobe-us-updatefiles.digital", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "655de81a14bc690453688560", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "CISA reports that Lockbit 3.0 affiliates are leveraging CVE 2023-4966 (Citrix Bleed) to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances.", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-22T11:38:01.453000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 467, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386556, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ce8795f74ccdc8a4ad972f", "name": "Home | Sanselo | Realizare site web \u0219i aplica\u021bii de mobil", "description": "Aplica\u021bii mobile, \u00c2\u00a31bn, \u00e2\u201a\u00ac1.5bn \u00e2\u20ac\u00b5\u00a6 \u00c3\u20ac\u201c \u00f4l iau i'r iddo.", "modified": "2025-05-14T21:14:50.899000", "created": "2024-08-28T02:12:37.280000", "tags": [ "sanselo", "i aplicaii", "home", "realizare site", "servicii web", "mobile app", "contact blog", "selecteaz", "pagin", "future", "adres url", "ipv4", "ccro asnas39668", "intersat srl", "rola", "url http", "odcisk palca" ], "references": [ "https://sanselo.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "URL": 1533, "domain": 150, "email": 2, "hostname": 471, "FileHash-MD5": 236, "FileHash-SHA1": 141, "FileHash-SHA256": 979, "SSLCertFingerprint": 4 }, "indicator_count": 3527, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f71c8324e5867aac6c2d30", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "", "modified": "2025-05-10T01:01:10.390000", "created": "2025-04-10T01:18:59.600000", "tags": [ "strong", "cisa", "lockbit", "citrix bleed", "netscaler adc", "iocs", "cve20234966", "mitre att", "powershell", "stopransomware", "psexec", "sector", "tools", "anydesk", "impacket", "enterprise", "hunt", "lsass", "cyber", "local", "download", "august", "malware", "legend", "adrecon", "plink", "service", "open", "import", "restrict", "upgrade", "protect", "ransomware", "mcafee", "ghost" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CTIwangus", "id": "186095", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 8, "URL": 5, "domain": 3, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "386 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65c55ae268b5c4556694db9f", "name": "CapsaciPhone.com | Found in Denver Recording Studio Domain", "description": "Emotet,\nLockBit,\nMakop,\nRedLine Stealer,", "modified": "2024-03-09T22:05:06.644000", "created": "2024-02-08T22:51:14.111000", "tags": [ "contacted", "december", "dropped", "cymulate", "url collection", "execution", "ssl certificate", "roundup", "threat roundup", "unknown", "a domains", "domain", "creation date", "search", "tnhh quan", "dau tu", "dat ngoc", "date", "showing", "body", "next", "nxdomain", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info", "email", "code", "server", "registrar abuse", "available from", "country", "cong ty", "porn", "referrer", "whois record", "historical ssl", "resolutions", "urls http", "malware", "lockbit", "makop", "redline stealer", "core", "iframe", "whois whois", "maliciosa", "relacionada con", "january", "february", "attack", "bitrat", "hacktool", "malicious", "emotet", "wide" ], "references": [ "capsaciphone.com", "nr-data.net. [Apple Private Data Collection]", "15b7e1434ba582ab85f7d7783093522e4bbae83b1f24a6388cd51852aa3d8aba bam [nr-data.net -apple data collection (new relic)]", "http://vortex-nlb-http2-fed-us-taut-purple.nr-data.net/ [nr-data.net -apple data collection (new relic)]", "www.pornhub.com [iOS password decryption]", "www.anyxxxtube.net", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "golddesisex.com", "websexgay.net", "http://golddesisex.com/en/search/xxx-bloody-hymen", "http://golddesisex.com/en/search/boob-licking-gifs", "http://173.255.214.126:8080/oMhELssex", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://d500.userdrive.me/d/3wj67osl2as5ln23p3io5gjrhoxma3o42ioy2hjvs3dctulo5j76ugf7njke2nse6jzyjhra/Ableton-Live-Suite-2011.3.13%20+%20_-_gen.zip", "Found in https://side3.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Makop", "display_name": "Makop", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 939, "URL": 5397, "FileHash-MD5": 78, "FileHash-SHA1": 78, "FileHash-SHA256": 2224, "hostname": 1294, "email": 3, "CVE": 3 }, "indicator_count": 10016, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655ef901b6ecadcce5663ac4", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-23T07:02:25.982000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655de81a14bc690453688560", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655efd6804d4d876d841f705", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-11-23T07:21:12.319000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655ef901b6ecadcce5663ac4", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656acc003ddc30963eb69a17", "name": "test", "description": "", "modified": "2023-12-22T11:02:14.625000", "created": "2023-12-02T06:17:36.789000", "tags": [ "lockbit", "cve20234966", "citrix bleed", "ransomware", "anydesk abuse", "splashtop abuse" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [], "TLP": "white", "cloned_from": "655de81a14bc690453688560", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MG_MPGSOC", "id": "263709", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 5, "YARA": 5, "domain": 1, "hostname": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655d7398a2130d2fbc1d6e7a", "name": "AA23-325A Citrix Bleed Lockbit Ransomware Exploit CVE 2023-4966", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate\u2019s Australian Cyber Security Center (ASD\u2019s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.", "modified": "2023-12-22T03:04:13.242000", "created": "2023-11-22T03:20:56.803000", "tags": [ "cisa1047891501", "cisa code", "media analysis", "detects trojan", "cisa1047891502", "pe32" ], "references": [ "https://www.cisa.gov/sites/default/files/2023-11/AA23-325A.stix_.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "healeywap", "id": "217398", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 45, "URL": 64, "hostname": 23, "domain": 51 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "891 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655cd810f251f982bbed7b6e", "name": "#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability | CISA", "description": "Ransomware is a growing threat to networks, but how do you protect against it and what can you know about the latest threat? \u00c2\u00a32.5m worth of ransomware has been discovered on a Boeing website.", "modified": "2023-12-21T16:04:29.917000", "created": "2023-11-21T16:17:20.724000", "tags": [ "cisa", "lockbit", "netscaler adc", "iocs", "cve20234966", "powershell", "ttps", "center", "mitre att", "citrix bleed", "anydesk", "enterprise", "lsass", "psexec", "august", "plink", "service", "restrict", "upgrade", "bleed", "threat" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "Bleed", "display_name": "Bleed", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure", "Education", "Energy", "Financial Services", "Food", "Agriculture", "Government", "Healthcare", "Manufacturing", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "URL": 5, "YARA": 5, "domain": 3, "email": 1, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "892 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://adobe-us-updatefiles.digital/index.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://adobe-us-updatefiles.digital/index.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780248500.4843104 }