{ "type": "URL", "indicator": "https://block-digital.online/drivers/cam_driver", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://block-digital.online/drivers/cam_driver", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4124894924, "indicator": "https://block-digital.online/drivers/cam_driver", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "68b56db7e618d6d64f462bf6", "name": "Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique", "description": "Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websites. These sites prompt users to 'fix' non-existent camera issues, tricking them into downloading malware disguised as Nvidia software updates. The malware deploys a Node.js environment and executes BeaverTail, a common Lazarus tool. On Windows 11 systems, an additional backdoor (drvUpdate.exe) is installed. The attack also affects macOS users. The malware establishes persistence and connects to command and control servers for further instructions and data exfiltration.", "modified": "2025-10-01T09:03:47.815000", "created": "2025-09-01T09:56:07.266000", "tags": [ "clickfix", "node.js", "beavertail", "invisibleferret", "macos", "apt-q-1", "social engineering", "windows", "phishing" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386945, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bece9cc845c1f057267247", "name": "The Trap of Troubleshooting: Analysis of Lazarus (APT-Q-1)'s Recent Attacks Using ClickFix", "description": "", "modified": "2025-10-08T12:03:15.598000", "created": "2025-09-08T12:39:56.910000", "tags": [ "malicious", "md5 file", "beavertail", "backdoor", "windows", "homedir", "md5 download", "link save", "location", "ioc md5", "url https" ], "references": [ "https://cn-sec.com/archives/4411045.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 11, "domain": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bec366546596b2ee29a7fc", "name": "APT Q-1 Leveraging Fake Technical Fixes to Deploy BeaverTail Info Stealer", "description": "", "modified": "2025-10-08T11:00:52.355000", "created": "2025-09-08T11:52:06.114000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "domain": 2, "URL": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bec36789070caaaa4951d8", "name": "APT Q-1 Leveraging Fake Technical Fixes to Deploy BeaverTail Info Stealer", "description": "", "modified": "2025-10-08T11:00:52.355000", "created": "2025-09-08T11:52:07.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "domain": 2, "URL": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b9299fa058b2f5e9f0493e", "name": "aaaaaaaaaaaaaaa", "description": "The full text of the text-free app that users use to connect to their smart phones has been published by the BBC, but what does the public say about what it is and does it mean?", "modified": "2025-10-04T05:02:57.834000", "created": "2025-09-04T05:54:39.354000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 8, "domain": 4 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b6fd60616896cfc1b226a5", "name": "IOC Blocking", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-09-02T14:21:18.438000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 8, "domain": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b69d28478bf4a6135349d1", "name": "Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique", "description": "", "modified": "2025-10-01T09:03:47.815000", "created": "2025-09-02T07:30:48.024000", "tags": [ "clickfix", "node.js", "beavertail", "invisibleferret", "macos", "apt-q-1", "social engineering", "windows", "phishing" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "68b56db7e618d6d64f462bf6", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b14e87910ddc712273e0e7", "name": "IOC\u2014\u6545\u969c\u4fee\u590d\u4e4b\u4e0b\u7684\u9677\u9631\uff1aLazarus\uff08APT-Q-1\uff09\u8fd1\u671f\u5229\u7528 ClickFix \u624b\u6cd5\u7684\u653b\u51fb\u5206\u6790", "description": "ClickFix \u662f\u8fd1\u5e74\u6765\u5174\u8d77\u7684\u4e00\u79cd\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u624b\u6bb5\uff0c\u653b\u51fb\u8005\u5411\u53d7\u5bb3\u8005\u5c55\u793a\u4e00\u4e2a\u5e76\u4e0d\u5b58\u5728\u7684\u6545\u969c\uff0c\u8bf1\u4f7f\u53d7\u5bb3\u8005\u6309\u7167\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u6307\u793a\u201c\u4fee\u590d\u201d\u6545\u969c\uff0c\u5b9e\u9645\u4e0a\u53d7\u5bb3\u8005\u4e3b\u52a8\u8fd0\u884c\u7684\u201c\u4fee\u590d\u201d\u547d\u4ee4\u6b63\u662f\u7ecf\u8fc7\u4f2a\u88c5\u7684\u6076\u610f\u4ee3\u7801\u3002 \n\nLazarus \u5728\u4ee5\u865a\u5047\u62db\u8058\u4e3a\u8bf1\u9975\u7684\u9493\u9c7c\u653b\u51fb\u4e2d\u878d\u5165 ClickFix \u624b\u6cd5\uff0c\u53d7\u5bb3\u8005\u88ab\u865a\u5047\u5de5\u4f5c\u673a\u4f1a\u5438\u5f15\u5230\u653b\u51fb\u8005\u642d\u5efa\u7684\u9762\u8bd5\u7f51\u7ad9\uff0c\u7f51\u7ad9\u6307\u5bfc\u53d7\u5bb3\u8005\u51c6\u5907\u9762\u8bd5\u73af\u5883\u3002\u5f53\u53d7\u5bb3\u8005\u6309\u7167\u6307\u793a\u64cd\u4f5c\u65f6\uff0c\u7f51\u7ad9\u4f1a\u5728\u7279\u5b9a\u65f6\u673a\u63d0\u793a\u53d7\u5bb3\u8005\u6444\u50cf\u5934\u914d\u7f6e\u4e0d\u7b26\u5408\u8981\u6c42\u6216\u8005\u5b58\u5728\u6545\u969c\uff0c\u5e76\u7ed9\u51fa\u4fee\u590d\u65b9\u6848\uff0c\u4fee\u590d\u547d\u4ee4\u770b\u8d77\u6765\u662f\u4e0b\u8f7d Nvidia \u76f8\u5173\u8f6f\u4ef6\u7684\u66f4\u65b0\uff0c\u771f\u5b9e\u76ee\u7684\u5374\u662f\u690d\u5165\u6076\u610f\u8f6f\u4ef6\u3002", "modified": "2025-09-28T06:03:32.586000", "created": "2025-08-29T06:53:59.996000", "tags": [ "ioc md5", "windows", "beavertail", "url https" ], "references": [ "https://www.ctfiot.com/267223.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 8, "domain": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b11f30c5769e918c7ebdb0", "name": "Traps under fault repair: Lazarus (APT-Q-1) recent attack analysis using ClickFix techniques.", "description": "Lazarus, an Advanced Persistent Threat (APT) group associated with Northeast Asia and designated APT-Q-1 by Qi'anxin, has been active since at least 2007. Originally focused on infiltrating government agencies to gather sensitive intelligence, its operations evolved significantly after the high-profile Sony Pictures attack in 2014. Post-2014, Lazarus expanded its targets to include global financial institutions and virtual currency trading platforms, employing sophisticated tactics to steal monetary assets.\n\nOne of the notable strategies employed by Lazarus involves the creation of fake social media profiles to lure individuals into job offers. This approach not only compromises the personal information of victims but also serves as a vector for phishing attacks tailored for people within specific industries. The organization leverages social engineering techniques to exploit the trust of potential targets, increasing the likelihood of successful breaches.", "modified": "2025-09-28T03:05:06.854000", "created": "2025-08-29T03:32:00.139000", "tags": [ "lazarus", "clickfix", "beavertail", "windows", "homedir", "nvidia", "userprofile", "python", "invisibleferret", "macos", "shell", "alpha", "winrar", "credomap", "orpcbackdoor", "kimsuky", "ioc md5", "url https" ], "references": [ "https://www.ctfiot.com/267223.html", "https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack", "https://medium.com/@anyrun/pylangghost-rat-rising-data-stealer-from-lazarus-group-targeting-finance-and-technology-d65cf790fb6d", "https://x.com/RedDrip7/status/1954801591938170935" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/RedDrip7/status/1954801591938170935", "https://medium.com/@anyrun/pylangghost-rat-rising-data-stealer-from-lazarus-group-targeting-finance-and-technology-d65cf790fb6d", "week1.pdf", "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824", "https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack", "https://www.ctfiot.com/267223.html", "https://cn-sec.com/archives/4411045.html" ], "related": { "alienvault": { "adversary": [ "Lazarus" ], "malware_families": [ "Invisibleferret", "Beavertail" ], "industries": [ "Technology", "Finance" ], "unique_indicators": 36 }, "other": { "adversary": [ "Lazarus", "Multiple" ], "malware_families": [ "Invisibleferret", "Beavertail" ], "industries": [ "Technology", "Finance" ], "unique_indicators": 933 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/block-digital.online", "whois": "http://whois.domaintools.com/block-digital.online", "domain": "block-digital.online", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "68b56db7e618d6d64f462bf6", "name": "Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique", "description": "Lazarus, an APT group with suspected East Asian origins, has recently employed the ClickFix social engineering technique in their phishing attacks. The group, known for targeting financial institutions and cryptocurrency exchanges, now uses fake job opportunities to lure victims to interview websites. These sites prompt users to 'fix' non-existent camera issues, tricking them into downloading malware disguised as Nvidia software updates. The malware deploys a Node.js environment and executes BeaverTail, a common Lazarus tool. On Windows 11 systems, an additional backdoor (drvUpdate.exe) is installed. The attack also affects macOS users. The malware establishes persistence and connects to command and control servers for further instructions and data exfiltration.", "modified": "2025-10-01T09:03:47.815000", "created": "2025-09-01T09:56:07.266000", "tags": [ "clickfix", "node.js", "beavertail", "invisibleferret", "macos", "apt-q-1", "social engineering", "windows", "phishing" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386945, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bece9cc845c1f057267247", "name": "The Trap of Troubleshooting: Analysis of Lazarus (APT-Q-1)'s Recent Attacks Using ClickFix", "description": "", "modified": "2025-10-08T12:03:15.598000", "created": "2025-09-08T12:39:56.910000", "tags": [ "malicious", "md5 file", "beavertail", "backdoor", "windows", "homedir", "md5 download", "link save", "location", "ioc md5", "url https" ], "references": [ "https://cn-sec.com/archives/4411045.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 11, "domain": 2 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bec366546596b2ee29a7fc", "name": "APT Q-1 Leveraging Fake Technical Fixes to Deploy BeaverTail Info Stealer", "description": "", "modified": "2025-10-08T11:00:52.355000", "created": "2025-09-08T11:52:06.114000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "domain": 2, "URL": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bec36789070caaaa4951d8", "name": "APT Q-1 Leveraging Fake Technical Fixes to Deploy BeaverTail Info Stealer", "description": "", "modified": "2025-10-08T11:00:52.355000", "created": "2025-09-08T11:52:07.128000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "domain": 2, "URL": 5 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b9299fa058b2f5e9f0493e", "name": "aaaaaaaaaaaaaaa", "description": "The full text of the text-free app that users use to connect to their smart phones has been published by the BBC, but what does the public say about what it is and does it mean?", "modified": "2025-10-04T05:02:57.834000", "created": "2025-09-04T05:54:39.354000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 8, "domain": 4 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b6fd60616896cfc1b226a5", "name": "IOC Blocking", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-09-02T14:21:18.438000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 8, "domain": 2 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b69d28478bf4a6135349d1", "name": "Traps Beneath Fault Repair: Analysis of Recent Attacks Using ClickFix Technique", "description": "", "modified": "2025-10-01T09:03:47.815000", "created": "2025-09-02T07:30:48.024000", "tags": [ "clickfix", "node.js", "beavertail", "invisibleferret", "macos", "apt-q-1", "social engineering", "windows", "phishing" ], "references": [ "https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515797&idx=1&sn=63eb2627f65397d704d187273c6cdce4&chksm=ea6649e2dd11c0f497ca57cf52676a9a764f28e587017e14fc850034ca8518c9f4ef46219824" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "68b56db7e618d6d64f462bf6", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b14e87910ddc712273e0e7", "name": "IOC\u2014\u6545\u969c\u4fee\u590d\u4e4b\u4e0b\u7684\u9677\u9631\uff1aLazarus\uff08APT-Q-1\uff09\u8fd1\u671f\u5229\u7528 ClickFix \u624b\u6cd5\u7684\u653b\u51fb\u5206\u6790", "description": "ClickFix \u662f\u8fd1\u5e74\u6765\u5174\u8d77\u7684\u4e00\u79cd\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u624b\u6bb5\uff0c\u653b\u51fb\u8005\u5411\u53d7\u5bb3\u8005\u5c55\u793a\u4e00\u4e2a\u5e76\u4e0d\u5b58\u5728\u7684\u6545\u969c\uff0c\u8bf1\u4f7f\u53d7\u5bb3\u8005\u6309\u7167\u653b\u51fb\u8005\u63d0\u4f9b\u7684\u6307\u793a\u201c\u4fee\u590d\u201d\u6545\u969c\uff0c\u5b9e\u9645\u4e0a\u53d7\u5bb3\u8005\u4e3b\u52a8\u8fd0\u884c\u7684\u201c\u4fee\u590d\u201d\u547d\u4ee4\u6b63\u662f\u7ecf\u8fc7\u4f2a\u88c5\u7684\u6076\u610f\u4ee3\u7801\u3002 \n\nLazarus \u5728\u4ee5\u865a\u5047\u62db\u8058\u4e3a\u8bf1\u9975\u7684\u9493\u9c7c\u653b\u51fb\u4e2d\u878d\u5165 ClickFix \u624b\u6cd5\uff0c\u53d7\u5bb3\u8005\u88ab\u865a\u5047\u5de5\u4f5c\u673a\u4f1a\u5438\u5f15\u5230\u653b\u51fb\u8005\u642d\u5efa\u7684\u9762\u8bd5\u7f51\u7ad9\uff0c\u7f51\u7ad9\u6307\u5bfc\u53d7\u5bb3\u8005\u51c6\u5907\u9762\u8bd5\u73af\u5883\u3002\u5f53\u53d7\u5bb3\u8005\u6309\u7167\u6307\u793a\u64cd\u4f5c\u65f6\uff0c\u7f51\u7ad9\u4f1a\u5728\u7279\u5b9a\u65f6\u673a\u63d0\u793a\u53d7\u5bb3\u8005\u6444\u50cf\u5934\u914d\u7f6e\u4e0d\u7b26\u5408\u8981\u6c42\u6216\u8005\u5b58\u5728\u6545\u969c\uff0c\u5e76\u7ed9\u51fa\u4fee\u590d\u65b9\u6848\uff0c\u4fee\u590d\u547d\u4ee4\u770b\u8d77\u6765\u662f\u4e0b\u8f7d Nvidia \u76f8\u5173\u8f6f\u4ef6\u7684\u66f4\u65b0\uff0c\u771f\u5b9e\u76ee\u7684\u5374\u662f\u690d\u5165\u6076\u610f\u8f6f\u4ef6\u3002", "modified": "2025-09-28T06:03:32.586000", "created": "2025-08-29T06:53:59.996000", "tags": [ "ioc md5", "windows", "beavertail", "url https" ], "references": [ "https://www.ctfiot.com/267223.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 8, "domain": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b11f30c5769e918c7ebdb0", "name": "Traps under fault repair: Lazarus (APT-Q-1) recent attack analysis using ClickFix techniques.", "description": "Lazarus, an Advanced Persistent Threat (APT) group associated with Northeast Asia and designated APT-Q-1 by Qi'anxin, has been active since at least 2007. Originally focused on infiltrating government agencies to gather sensitive intelligence, its operations evolved significantly after the high-profile Sony Pictures attack in 2014. Post-2014, Lazarus expanded its targets to include global financial institutions and virtual currency trading platforms, employing sophisticated tactics to steal monetary assets.\n\nOne of the notable strategies employed by Lazarus involves the creation of fake social media profiles to lure individuals into job offers. This approach not only compromises the personal information of victims but also serves as a vector for phishing attacks tailored for people within specific industries. The organization leverages social engineering techniques to exploit the trust of potential targets, increasing the likelihood of successful breaches.", "modified": "2025-09-28T03:05:06.854000", "created": "2025-08-29T03:32:00.139000", "tags": [ "lazarus", "clickfix", "beavertail", "windows", "homedir", "nvidia", "userprofile", "python", "invisibleferret", "macos", "shell", "alpha", "winrar", "credomap", "orpcbackdoor", "kimsuky", "ioc md5", "url https" ], "references": [ "https://www.ctfiot.com/267223.html", "https://www.gendigital.com/blog/insights/research/deceptive-nvidia-attack", "https://medium.com/@anyrun/pylangghost-rat-rising-data-stealer-from-lazarus-group-targeting-finance-and-technology-d65cf790fb6d", "https://x.com/RedDrip7/status/1954801591938170935" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 11, "domain": 2 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://block-digital.online/drivers/cam_driver", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://block-digital.online/drivers/cam_driver", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780427047.216096 }