{ "type": "URL", "indicator": "https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3645489174, "indicator": "https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "64134d77740d6bc14f3a8349", "name": "Winter Vivern | Uncovering a Wave of Global Espionage", "description": "The Winter Vivern Advanced Persistent Threat (APT) is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "modified": "2023-04-15T17:03:01.145000", "created": "2023-03-16T17:10:14.050000", "tags": [ "winter vivern", "aperetif" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "IceFire", "display_name": "IceFire", "target": null }, { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "URL": 7, "domain": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386733, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643479b021136b7ef45e3022", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-10T21:03:44.475000", "tags": [ "command", "dev1084 batch", "download rport", "rport domain", "ip address", "rport legit", "backdoor", "script backdoor", "na clear", "clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 80, "FileHash-SHA1": 79, "FileHash-SHA256": 152, "domain": 10, "hostname": 3 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6448452aaae6d3f476f5c954", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-25T21:24:58.002000", "tags": [ "domain drokbk", "ip address", "drokbk c2", "abraham", "file name", "charmpower lure", "charmpower", "indicator type", "sha256 soldier", "drokbk", "clear", "sha1", "md5 mimikatz", "md5 netscan", "sha256 clear", "email address", "ransom note", "clear farusbig", "domain trigona", "command", "dev1084 batch", "download rport", "rport domain", "rport legit", "backdoor", "script backdoor", "na clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [ "Threat Insights: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 90, "FileHash-SHA1": 89, "FileHash-SHA256": 163, "domain": 19, "hostname": 3, "IPv4": 7, "email": 2 }, "indicator_count": 386, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64484a55bd892f876f68ffe5", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-25T21:47:01.671000", "tags": [ "nokoyawa", "sha256 nokoyawa", "domain drokbk", "ip address", "drokbk c2", "abraham", "file name", "charmpower lure", "charmpower", "indicator type", "sha256 soldier", "drokbk", "clear", "sha1", "md5 mimikatz", "md5 netscan", "sha256 clear", "email address", "ransom note", "clear farusbig", "domain trigona", "command", "dev1084 batch", "download rport", "rport domain", "rport legit", "backdoor", "script backdoor", "na clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 95, "FileHash-SHA1": 90, "FileHash-SHA256": 164, "domain": 23, "hostname": 3, "IPv4": 7, "email": 2, "CVE": 1 }, "indicator_count": 398, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642ddda60735526b06c4c6ea", "name": "cve-2022-21587", "description": "[objeOracle E-Business Suite . cve-2022-21587", "modified": "2023-05-05T20:01:31.955000", "created": "2023-04-05T20:44:22.129000", "tags": [ "na clear", "clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 78, "FileHash-SHA1": 77, "FileHash-SHA256": 134, "domain": 9, "hostname": 2 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64131a95f0a0534b306d83b4", "name": "Winter Vivern APT hackers use fake antivirus scans to install malware", "description": "", "modified": "2023-04-15T13:01:01.890000", "created": "2023-03-16T13:33:09.454000", "tags": [], "references": [ "March 16th, 2023 - CryptoGen Cyber Threat Intelligence -Winter Vivern APT hackers use fake antivirus scans to install malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 4, "domain": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6412f1ae916404f18cc09ec5", "name": "Winter Vivern | Uncovering a Wave of Global Espionage - SentinelOne", "description": "The Winter Vivern Advanced Persistent Threat (APT) is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-16T10:38:38.860000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6414170aca8287f070e7f225", "name": "Winter Vivern Uncovering a Wave of Global Espionage - SentinelOne", "description": "", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-17T07:30:18.516000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": "6412f1ae916404f18cc09ec5", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64141789c975ac2f473a8e98", "name": "Winter Vivern Uncovering a Wave of Global Espionage - SentinelOne", "description": "", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-17T07:32:25.108000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": "6414170aca8287f070e7f225", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64390a3382df137b2e0d9107", "name": "Winter Vivern | Uncovering a Wave of Global Espionage", "description": "", "modified": "2023-04-14T08:09:23.449000", "created": "2023-04-14T08:09:23.449000", "tags": [], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "India" ], "malware_families": [ { "id": "APERETIF", "display_name": "APERETIF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Telecommunication", "Government" ], "TLP": "white", "cloned_from": "643904200e516efa91003960", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Y0utHS11", "id": "201713", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "IPv4": 5, "URL": 6, "domain": 9 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1144 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643904200e516efa91003960", "name": "Winter Vivern | Uncovering a Wave of Global Espionage - SentinelOne", "description": "The Winter Vivern Advanced Persistent Threat (APT) is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "modified": "2023-04-14T07:43:28.254000", "created": "2023-04-14T07:43:28.254000", "tags": [], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "India" ], "malware_families": [ { "id": "APERETIF", "display_name": "APERETIF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Telecommunication", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2wlab_talon", "id": "125133", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "IPv4": 5, "URL": 6, "domain": 9 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1144 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Threat Insights: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets", "March 16th, 2023 - CryptoGen Cyber Threat Intelligence -Winter Vivern APT hackers use fake antivirus scans to install malware.pdf", "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "related": { "alienvault": { "adversary": [ "Winter Vivern" ], "malware_families": [ "Icefire", "Prev icefire", "Winter vivern" ], "industries": [ "Government", "Telecommunications", "Foreign affairs" ], "unique_indicators": 24 }, "other": { "adversary": [ "Winter Vivern" ], "malware_families": [ "Prev icefire", "Aperetif", "Winter vivern" ], "industries": [ "Government", "Telecommunications", "Telecommunication", "Foreign affairs" ], "unique_indicators": 438 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/applesaltbeauty.com", "whois": "http://whois.domaintools.com/applesaltbeauty.com", "domain": "applesaltbeauty.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "64134d77740d6bc14f3a8349", "name": "Winter Vivern | Uncovering a Wave of Global Espionage", "description": "The Winter Vivern Advanced Persistent Threat (APT) is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "modified": "2023-04-15T17:03:01.145000", "created": "2023-03-16T17:10:14.050000", "tags": [ "winter vivern", "aperetif" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "IceFire", "display_name": "IceFire", "target": null }, { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "URL": 7, "domain": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386733, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643479b021136b7ef45e3022", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-10T21:03:44.475000", "tags": [ "command", "dev1084 batch", "download rport", "rport domain", "ip address", "rport legit", "backdoor", "script backdoor", "na clear", "clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 80, "FileHash-SHA1": 79, "FileHash-SHA256": 152, "domain": 10, "hostname": 3 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6448452aaae6d3f476f5c954", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-25T21:24:58.002000", "tags": [ "domain drokbk", "ip address", "drokbk c2", "abraham", "file name", "charmpower lure", "charmpower", "indicator type", "sha256 soldier", "drokbk", "clear", "sha1", "md5 mimikatz", "md5 netscan", "sha256 clear", "email address", "ransom note", "clear farusbig", "domain trigona", "command", "dev1084 batch", "download rport", "rport domain", "rport legit", "backdoor", "script backdoor", "na clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [ "Threat Insights: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 90, "FileHash-SHA1": 89, "FileHash-SHA256": 163, "domain": 19, "hostname": 3, "IPv4": 7, "email": 2 }, "indicator_count": 386, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64484a55bd892f876f68ffe5", "name": "Mercury group", "description": "MERCURY and DEV-1084: Destructive attack on hybrid environment. mercury is malicious group linked to Irn", "modified": "2023-05-10T20:00:32.823000", "created": "2023-04-25T21:47:01.671000", "tags": [ "nokoyawa", "sha256 nokoyawa", "domain drokbk", "ip address", "drokbk c2", "abraham", "file name", "charmpower lure", "charmpower", "indicator type", "sha256 soldier", "drokbk", "clear", "sha1", "md5 mimikatz", "md5 netscan", "sha256 clear", "email address", "ransom note", "clear farusbig", "domain trigona", "command", "dev1084 batch", "download rport", "rport domain", "rport legit", "backdoor", "script backdoor", "na clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 95, "FileHash-SHA1": 90, "FileHash-SHA256": 164, "domain": 23, "hostname": 3, "IPv4": 7, "email": 2, "CVE": 1 }, "indicator_count": 398, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642ddda60735526b06c4c6ea", "name": "cve-2022-21587", "description": "[objeOracle E-Business Suite . cve-2022-21587", "modified": "2023-05-05T20:01:31.955000", "created": "2023-04-05T20:44:22.129000", "tags": [ "na clear", "clear", "sha256 na", "sha1 na", "md5 na", "domain na", "clear https", "sha267", "cmd365 sample", "google firebase", "explorer", "chisel", "anydesk", "exploit" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "EagleEye", "id": "232889", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 78, "FileHash-SHA1": 77, "FileHash-SHA256": 134, "domain": 9, "hostname": 2 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "1122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64131a95f0a0534b306d83b4", "name": "Winter Vivern APT hackers use fake antivirus scans to install malware", "description": "", "modified": "2023-04-15T13:01:01.890000", "created": "2023-03-16T13:33:09.454000", "tags": [], "references": [ "March 16th, 2023 - CryptoGen Cyber Threat Intelligence -Winter Vivern APT hackers use fake antivirus scans to install malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 4, "domain": 8 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6412f1ae916404f18cc09ec5", "name": "Winter Vivern | Uncovering a Wave of Global Espionage - SentinelOne", "description": "The Winter Vivern Advanced Persistent Threat (APT) is a pro-Russian cyber-espionage group that targets government and private businesses, including those involved in the ongoing war in Ukraine.", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-16T10:38:38.860000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 866, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6414170aca8287f070e7f225", "name": "Winter Vivern Uncovering a Wave of Global Espionage - SentinelOne", "description": "", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-17T07:30:18.516000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": "6412f1ae916404f18cc09ec5", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64141789c975ac2f473a8e98", "name": "Winter Vivern Uncovering a Wave of Global Espionage - SentinelOne", "description": "", "modified": "2023-04-15T10:00:31.838000", "created": "2023-03-17T07:32:25.108000", "tags": [ "winter vivern", "prev icefire", "aperetif", "cbzc", "ukraine", "foreign affairs", "powershell", "threat", "ukraine cert", "belarus", "russia", "slovakia", "live" ], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "Poland", "Italy", "Slovakia", "India", "Lithuania", "Ukraine" ], "malware_families": [ { "id": "Prev IceFire", "display_name": "Prev IceFire", "target": null }, { "id": "Winter Vivern", "display_name": "Winter Vivern", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Telecommunications", "Telecommunication", "Foreign Affairs", "Government" ], "TLP": "white", "cloned_from": "6414170aca8287f070e7f225", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-SHA1": 7, "domain": 9 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 281, "modified_text": "1143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64390a3382df137b2e0d9107", "name": "Winter Vivern | Uncovering a Wave of Global Espionage", "description": "", "modified": "2023-04-14T08:09:23.449000", "created": "2023-04-14T08:09:23.449000", "tags": [], "references": [ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/" ], "public": 1, "adversary": "Winter Vivern", "targeted_countries": [ "India" ], "malware_families": [ { "id": "APERETIF", "display_name": "APERETIF", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Telecommunication", "Government" ], "TLP": "white", "cloned_from": "643904200e516efa91003960", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Y0utHS11", "id": "201713", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "IPv4": 5, "URL": 6, "domain": 9 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1144 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://applesaltbeauty.com/wordpress/wp-includes/widgets/classwp/521734i", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780339362.638055 }