{ "type": "URL", "indicator": "https://api.hellknight.xyz/js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.hellknight.xyz/js", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4159757137, "indicator": "https://api.hellknight.xyz/js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "693ae06402fe5f1d81a2b7c3", "name": "It didn\u2019t take long: CVE-2025-55182 is now under active exploitation", "description": "A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.", "modified": "2026-01-10T15:00:39.782000", "created": "2025-12-11T15:16:52.116000", "tags": [ "crypto miner", "vulnerability", "exploitation", "cve-2025-55182", "xmrig", "mirai", "react server components", "react4shell", "honeypot", "gafgyt", "rondodox", "botnet" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "RondoDox", "display_name": "RondoDox", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 3, "URL": 34, "hostname": 2 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69649796f4ecec74cac3be6e", "name": "Threat Intel Report - W49-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2026-02-11T06:02:28.302000", "created": "2026-01-12T06:41:26.363000", "tags": [ "mozi", "clearfake", "asyncrat link", "vidar link", "kongtuke", "russia", "urls https", "fake os", "update", "salatstealer" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 37, "FileHash-SHA256": 61, "URL": 421, "domain": 22, "hostname": 69 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6942fb0ce613e0d9555839bf", "name": "EbeeDec2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-16T18:05:42.447000", "created": "2025-12-17T18:48:44.660000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "Ashen Lepus, Campaign to deliver Python based Malware, ConsentFix, Luca Stealer, Makop ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 61, "CVE": 4, "FileHash-MD5": 174, "FileHash-SHA1": 154, "FileHash-SHA256": 166, "domain": 96, "hostname": 25 }, "indicator_count": 680, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694185965365f9d0b940ae57", "name": "React2Shell", "description": "CVE-2025-55182 (React2Shell) is a critical unauthenticated RCE vulnerability in the React Server Components (RSC) \"Flight\" protocol currently being widely exploited in the wild across several threat clusters, ranging from opportunistic cybercrime actors to China-nexus threat groups such as Earth Lamia and Jackpot Panda.", "modified": "2026-01-15T17:02:40.253000", "created": "2025-12-16T16:15:17.300000", "tags": [ "Earth Lamia", "Jackpot Panda", "China", "China-nexus", "React2Shell", "React", "C2", "CVE-2025-55182", "Next.js", "PeerBlight", "ZinFoq", "CowTunnel", "Kaiji", "SNOWLIGHT", "VSHELL", "XMRig", "COMPOOD", "MINOCAT", "Auto-color", "RCE", "EtherRAT", "CVE-2025-66478", "UNC5174", "Cobalt Strike", "KSwapDoor", "PRC", "RSC", "Noodle RAT", "Node.js" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive", "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "https://corelight.com/blog/react2shell" ], "public": 1, "adversary": "Earth Lamia / Jackpot Panda", "targeted_countries": [], "malware_families": [ { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "COMPOOD", "display_name": "COMPOOD", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "HISONIC", "display_name": "HISONIC", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "MINOCAT", "display_name": "MINOCAT", "target": null }, { "id": "PeerBlight", "display_name": "PeerBlight", "target": null }, { "id": "CowTunnel", "display_name": "CowTunnel", "target": null }, { "id": "ZinFoq", "display_name": "ZinFoq", "target": null }, { "id": "Kaiji", "display_name": "Kaiji", "target": null }, { "id": "Noodle RAT", "display_name": "Noodle RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "KSwapDoor", "display_name": "KSwapDoor", "target": null }, { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [ "Finance", "Logistics", "Retail", "Technology", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 68, "FileHash-SHA1": 76, "FileHash-SHA256": 89, "URL": 152, "hostname": 30, "YARA": 3 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693c870022007ce897c76608", "name": "It didnt take long: CVE-2025-55182 is now under active exploitation", "description": "CVE-2025-55182 is a critical vulnerability with a CVSS score of 10.0, recently made public on December 4, 2025. This vulnerability, informally referred to as React4Shell, impacts the React Server Components (RSC) functionality, which is utilized in web applications built with the React library. RSC enhances user interface rendering by dividing workloads between the client and server, but this capability has introduced significant security risks.\n\nThe flaw is classified under CWE-502, indicating it involves the deserialization of untrusted data. This vulnerability enables an attacker to execute arbitrary commands and gain the ability to read and write files within directories accessible to the web application, operating with the privileges of the server process. This elevation of privilege adds to the severity and attractiveness of the exploit for cybercriminals.", "modified": "2026-01-11T21:01:39.704000", "created": "2025-12-12T21:20:00.757000", "tags": [ "botnets", "internet of things", "linux", "miner", "mirai", "react", "react4shell", "rondodox", "vulnerabilities", "vulnerabilities and exploits", "cve202555182", "react server", "december", "kaspersky", "components", "cvss score", "react library", "xmrig", "beyond", "toddycat", "windows", "bluenoroff", "ghosthire" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331/" ], "public": 1, "adversary": "ToddyCat", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 5, "URL": 38, "hostname": 3 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940e521b7aeecea8a5affca", "name": "It didn\u2019t take long: CVE-2025-55182 is now under active exploitation", "description": "", "modified": "2026-01-10T15:00:39.782000", "created": "2025-12-16T04:50:41.530000", "tags": [ "crypto miner", "vulnerability", "exploitation", "cve-2025-55182", "xmrig", "mirai", "react server components", "react4shell", "honeypot", "gafgyt", "rondodox", "botnet" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "RondoDox", "display_name": "RondoDox", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "693ae06402fe5f1d81a2b7c3", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 3, "URL": 34, "hostname": 2 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6937802c767e45cf529cc27f", "name": "URLHaus data - 08-12-2025 (Part 2)", "description": "", "modified": "2026-01-08T01:02:20.370000", "created": "2025-12-09T01:49:31.997000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "CoinMiner", "arm", "mirai", "geofenced", "SuperH", "ua-wget", "USA", "x86", "sparc", "arc", "m68k", "PowerPC", "sh", "zip", "Fake Job Platform", "a3dacb", "Fuery", "Vidar", "ascii", "Encoded", "PhantomStealer", "rat", "RemcosRAT", "DarkCloud", "encrypted", "GuLoader", "powershell", "ps1", "Formbook", "rev-base64-loader", "xworm", "AgentTesla", "NetSupport", "exe", "Stealc", "donutloader", "config", "json", "apk", "mamont", "AmateraStealer", "Unknown Stealer", "spymax", "AsyncRAT", "opendir", "Adware.Techsnab", "MaskGramStealer", "censys", "CobaltStrike", "hajime", "backdoor", "sshdkit", "cybergate", "banker", "PythonStealer", "stealer", "DarkTortilla", "trojan", "VanillaRatStub", "c2", "gafgyt", "x86-32", "perl", "netcat", "Amadey" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 260, "domain": 6, "hostname": 4 }, "indicator_count": 270, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://corelight.com/blog/react2shell", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://securelist.com/cve-2025-55182-exploitation/118331/", "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://urlhaus.abuse.ch/browse/", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://securelist.com/cve-2025-55182-exploitation/118331", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "Book2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Gafgyt", "Xmrig", "Mirai", "Rondodox" ], "industries": [], "unique_indicators": 60 }, "other": { "adversary": [ "ToddyCat", "Ashen Lepus, Campaign to deliver Python based Malware, ConsentFix, Luca Stealer, Makop ransomware", "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "Earth Lamia / Jackpot Panda", "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [ "Peerblight", "Minocat", "Compood", "Zinfoq", "Cobalt strike", "Vshell", "Kaiji", "Xmrig", "Etherrat", "Gafgyt", "Snowlight", "Hisonic", "Cowtunnel", "Rondodox", "Mirai", "Kswapdoor", "Noodle rat" ], "industries": [ "Logistics", "Education", "Finance", "Government", "Retail", "Technology" ], "unique_indicators": 3855 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hellknight.xyz", "whois": "http://whois.domaintools.com/hellknight.xyz", "domain": "hellknight.xyz", "hostname": "api.hellknight.xyz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "693ae06402fe5f1d81a2b7c3", "name": "It didn\u2019t take long: CVE-2025-55182 is now under active exploitation", "description": "A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a surge in exploitation attempts, with attackers deploying various malware, including crypto miners and the RondoDox botnet. The vulnerability affects multiple React-related packages and bundles. Threat actors are leveraging this exploit to steal credentials, compromise cloud infrastructures, and potentially launch supply chain attacks. Immediate patching and implementation of security measures are strongly recommended to mitigate risks associated with this high-severity vulnerability.", "modified": "2026-01-10T15:00:39.782000", "created": "2025-12-11T15:16:52.116000", "tags": [ "crypto miner", "vulnerability", "exploitation", "cve-2025-55182", "xmrig", "mirai", "react server components", "react4shell", "honeypot", "gafgyt", "rondodox", "botnet" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "RondoDox", "display_name": "RondoDox", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 3, "URL": 34, "hostname": 2 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69649796f4ecec74cac3be6e", "name": "Threat Intel Report - W49-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in the week.", "modified": "2026-02-11T06:02:28.302000", "created": "2026-01-12T06:41:26.363000", "tags": [ "mozi", "clearfake", "asyncrat link", "vidar link", "kongtuke", "russia", "urls https", "fake os", "update", "salatstealer" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 37, "FileHash-SHA256": 61, "URL": 421, "domain": 22, "hostname": 69 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6942fb0ce613e0d9555839bf", "name": "EbeeDec2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-16T18:05:42.447000", "created": "2025-12-17T18:48:44.660000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "Ashen Lepus, Campaign to deliver Python based Malware, ConsentFix, Luca Stealer, Makop ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 61, "CVE": 4, "FileHash-MD5": 174, "FileHash-SHA1": 154, "FileHash-SHA256": 166, "domain": 96, "hostname": 25 }, "indicator_count": 680, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "134 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "694185965365f9d0b940ae57", "name": "React2Shell", "description": "CVE-2025-55182 (React2Shell) is a critical unauthenticated RCE vulnerability in the React Server Components (RSC) \"Flight\" protocol currently being widely exploited in the wild across several threat clusters, ranging from opportunistic cybercrime actors to China-nexus threat groups such as Earth Lamia and Jackpot Panda.", "modified": "2026-01-15T17:02:40.253000", "created": "2025-12-16T16:15:17.300000", "tags": [ "Earth Lamia", "Jackpot Panda", "China", "China-nexus", "React2Shell", "React", "C2", "CVE-2025-55182", "Next.js", "PeerBlight", "ZinFoq", "CowTunnel", "Kaiji", "SNOWLIGHT", "VSHELL", "XMRig", "COMPOOD", "MINOCAT", "Auto-color", "RCE", "EtherRAT", "CVE-2025-66478", "UNC5174", "Cobalt Strike", "KSwapDoor", "PRC", "RSC", "Noodle RAT", "Node.js" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/l/cve-2025-55182-analysis-poc-itw/CVE-2025-55182-combined-IOCs-F.txt", "https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182", "https://info.greynoise.io/hubfs/At-The-Edge/Weekly-Intelligence-Brief-120825.pdf", "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive", "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/", "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell", "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far", "https://www.cve.org/CVERecord?id=CVE-2025-55182", "https://nvd.nist.gov/vuln/detail/CVE-2025-55182", "https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/", "https://corelight.com/blog/react2shell" ], "public": 1, "adversary": "Earth Lamia / Jackpot Panda", "targeted_countries": [], "malware_families": [ { "id": "VSHELL", "display_name": "VSHELL", "target": null }, { "id": "COMPOOD", "display_name": "COMPOOD", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null }, { "id": "HISONIC", "display_name": "HISONIC", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "MINOCAT", "display_name": "MINOCAT", "target": null }, { "id": "PeerBlight", "display_name": "PeerBlight", "target": null }, { "id": "CowTunnel", "display_name": "CowTunnel", "target": null }, { "id": "ZinFoq", "display_name": "ZinFoq", "target": null }, { "id": "Kaiji", "display_name": "Kaiji", "target": null }, { "id": "Noodle RAT", "display_name": "Noodle RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "KSwapDoor", "display_name": "KSwapDoor", "target": null }, { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" } ], "industries": [ "Finance", "Logistics", "Retail", "Technology", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 68, "FileHash-SHA1": 76, "FileHash-SHA256": 89, "URL": 152, "hostname": 30, "YARA": 3 }, "indicator_count": 427, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693c870022007ce897c76608", "name": "It didnt take long: CVE-2025-55182 is now under active exploitation", "description": "CVE-2025-55182 is a critical vulnerability with a CVSS score of 10.0, recently made public on December 4, 2025. This vulnerability, informally referred to as React4Shell, impacts the React Server Components (RSC) functionality, which is utilized in web applications built with the React library. RSC enhances user interface rendering by dividing workloads between the client and server, but this capability has introduced significant security risks.\n\nThe flaw is classified under CWE-502, indicating it involves the deserialization of untrusted data. This vulnerability enables an attacker to execute arbitrary commands and gain the ability to read and write files within directories accessible to the web application, operating with the privileges of the server process. This elevation of privilege adds to the severity and attractiveness of the exploit for cybercriminals.", "modified": "2026-01-11T21:01:39.704000", "created": "2025-12-12T21:20:00.757000", "tags": [ "botnets", "internet of things", "linux", "miner", "mirai", "react", "react4shell", "rondodox", "vulnerabilities", "vulnerabilities and exploits", "cve202555182", "react server", "december", "kaspersky", "components", "cvss score", "react library", "xmrig", "beyond", "toddycat", "windows", "bluenoroff", "ghosthire" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331/" ], "public": 1, "adversary": "ToddyCat", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 5, "URL": 38, "hostname": 3 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6940e521b7aeecea8a5affca", "name": "It didn\u2019t take long: CVE-2025-55182 is now under active exploitation", "description": "", "modified": "2026-01-10T15:00:39.782000", "created": "2025-12-16T04:50:41.530000", "tags": [ "crypto miner", "vulnerability", "exploitation", "cve-2025-55182", "xmrig", "mirai", "react server components", "react4shell", "honeypot", "gafgyt", "rondodox", "botnet" ], "references": [ "https://securelist.com/cve-2025-55182-exploitation/118331" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "RondoDox", "display_name": "RondoDox", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "693ae06402fe5f1d81a2b7c3", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 4, "FileHash-SHA256": 3, "URL": 34, "hostname": 2 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693ac21225c36da419dbd4f1", "name": "EbeeDec2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:07:30.549000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filename", "cve20251338 cve", "bitcoinaddress" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "ShanyaUDPGangster, CastleRAT, StreamSpy, FvncBot, Multi-Stage Attack Chain using malicious VSCode Ex", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "hostname": 42, "CIDR": 1, "CVE": 2, "FileHash-MD5": 193, "FileHash-SHA1": 230, "FileHash-SHA256": 224, "domain": 99, "email": 1 }, "indicator_count": 887, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6937802c767e45cf529cc27f", "name": "URLHaus data - 08-12-2025 (Part 2)", "description": "", "modified": "2026-01-08T01:02:20.370000", "created": "2025-12-09T01:49:31.997000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "c2-monitor-auto", "dropped-by-amadey", "CoinMiner", "arm", "mirai", "geofenced", "SuperH", "ua-wget", "USA", "x86", "sparc", "arc", "m68k", "PowerPC", "sh", "zip", "Fake Job Platform", "a3dacb", "Fuery", "Vidar", "ascii", "Encoded", "PhantomStealer", "rat", "RemcosRAT", "DarkCloud", "encrypted", "GuLoader", "powershell", "ps1", "Formbook", "rev-base64-loader", "xworm", "AgentTesla", "NetSupport", "exe", "Stealc", "donutloader", "config", "json", "apk", "mamont", "AmateraStealer", "Unknown Stealer", "spymax", "AsyncRAT", "opendir", "Adware.Techsnab", "MaskGramStealer", "censys", "CobaltStrike", "hajime", "backdoor", "sshdkit", "cybergate", "banker", "PythonStealer", "stealer", "DarkTortilla", "trojan", "VanillaRatStub", "c2", "gafgyt", "x86-32", "perl", "netcat", "Amadey" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 260, "domain": 6, "hostname": 4 }, "indicator_count": 270, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.hellknight.xyz/js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.hellknight.xyz/js", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "geofenced", "sh", "ua-wget", "USA" ], "date_added": "2025-12-08", "last_online": "2025-12-08", "reporter": "botnetkiller", "host": "api.hellknight.xyz", "payloads": [ { "filename": "js", "file_type": "unknown", "md5": "7c5581bb58ae830af2c1fdb994b1bd6f", "sha256": "986b2532a7d955074dbd8a1a5dec3ce242997d593072fa641d09e1eddc5400d1", "signature": null, "first_seen": "2025-12-08" } ], "error": null }, "from_cache": true, "_cached_at": 1780222541.9989748 }