{ "type": "URL", "indicator": "https://builsf.com/inc/left.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://builsf.com/inc/left.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4059934208, "indicator": "https://builsf.com/inc/left.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6809f295fb213f24e9df9228", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.", "modified": "2025-04-24T13:19:00.842000", "created": "2025-04-24T08:13:09.551000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 377500, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680f8bda6a2aab67254ff9c2", "name": "Lazarus APT updates its toolset in watering hole attacks | Securelist", "description": "Security firm Kaspersky says it has identified and identified the malicious tools used by the Russian cyber-attack group, Lazarus, in a series of attacks targeting South Korean companies and government institutions over the past year.", "modified": "2025-05-28T00:01:41.760000", "created": "2025-04-28T14:08:26.641000", "tags": [ "apt", "infrastructure", "lazarus", "malware", "malware descriptions", "malware technologies", "mitre att&ck", "supply-chain attack", "targeted attacks", "vulnerabilities and exploits", "watering hole attacks", "zero-day vulnerabilities", "lazarus group", "south korea", "signbt", "threatneedle", "innorix agent", "cross ex", "c2 server", "krcert", "lpeclient", "copperhedge", "february", "gate", "loader", "core", "hell", "mysterysnail", "ironhusky", "wagent", "agamemnon" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null }, { "id": "ThreatNeedle", "display_name": "ThreatNeedle", "target": null }, { "id": "Agamemnon", "display_name": "Agamemnon", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 12, "domain": 5, "hostname": 4 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6814bc79ac1cf9155fe34c4e", "name": "Lazarus Group\u2019s \u201cOperation SyncHole\u201d Targeting Critical Industries", "description": "As part of a series of articles on cyber-security, we take a look at some of the key quotes from people who have contributed to this year's \u00c2\u00a31.3bn ransomware attack.", "modified": "2025-05-02T12:37:13.078000", "created": "2025-05-02T12:37:13.078000", "tags": [ "update", "siem", "iocs", "keep anti", "virus endpoint", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 5, "hostname": 18 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6810617b4bcd0b1c76d88670", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "", "modified": "2025-04-29T05:19:55.329000", "created": "2025-04-29T05:19:55.329000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": "6809f295fb213f24e9df9228", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "355 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "related": { "alienvault": { "adversary": [ "Lazarus" ], "malware_families": [ "Copperhedge", "Signbt", "Threatneedle - s0665", "Agamemnon downloader", "Wagent" ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "unique_indicators": 24 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Copperhedge", "Agamemnon", "Signbt", "Threatneedle - s0665", "Agamemnon downloader", "Threatneedle", "Wagent" ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "unique_indicators": 1824 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/builsf.com", "whois": "http://whois.domaintools.com/builsf.com", "domain": "builsf.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6809f295fb213f24e9df9228", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.", "modified": "2025-04-24T13:19:00.842000", "created": "2025-04-24T08:13:09.551000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 377500, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680f8bda6a2aab67254ff9c2", "name": "Lazarus APT updates its toolset in watering hole attacks | Securelist", "description": "Security firm Kaspersky says it has identified and identified the malicious tools used by the Russian cyber-attack group, Lazarus, in a series of attacks targeting South Korean companies and government institutions over the past year.", "modified": "2025-05-28T00:01:41.760000", "created": "2025-04-28T14:08:26.641000", "tags": [ "apt", "infrastructure", "lazarus", "malware", "malware descriptions", "malware technologies", "mitre att&ck", "supply-chain attack", "targeted attacks", "vulnerabilities and exploits", "watering hole attacks", "zero-day vulnerabilities", "lazarus group", "south korea", "signbt", "threatneedle", "innorix agent", "cross ex", "c2 server", "krcert", "lpeclient", "copperhedge", "february", "gate", "loader", "core", "hell", "mysterysnail", "ironhusky", "wagent", "agamemnon" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null }, { "id": "ThreatNeedle", "display_name": "ThreatNeedle", "target": null }, { "id": "Agamemnon", "display_name": "Agamemnon", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 12, "domain": 5, "hostname": 4 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680c1a2539b381ea9fbe7054", "name": "InQuest - 25-04-2025", "description": "", "modified": "2025-05-25T23:00:17.763000", "created": "2025-04-25T23:26:29.483000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "URL": 236, "FileHash-SHA1": 24, "FileHash-SHA256": 814, "domain": 54, "FileHash-MD5": 26 }, "indicator_count": 1196, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680ac7dd8edc8c55be961a6d", "name": "InQuest - 24-04-2025", "description": "", "modified": "2025-05-24T23:00:39.177000", "created": "2025-04-24T23:23:09.843000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 879, "FileHash-MD5": 33, "hostname": 67, "URL": 426, "domain": 113, "FileHash-SHA1": 24 }, "indicator_count": 1542, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6814bc79ac1cf9155fe34c4e", "name": "Lazarus Group\u2019s \u201cOperation SyncHole\u201d Targeting Critical Industries", "description": "As part of a series of articles on cyber-security, we take a look at some of the key quotes from people who have contributed to this year's \u00c2\u00a31.3bn ransomware attack.", "modified": "2025-05-02T12:37:13.078000", "created": "2025-05-02T12:37:13.078000", "tags": [ "update", "siem", "iocs", "keep anti", "virus endpoint", "https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "domain": 5, "hostname": 18 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "351 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6810617b4bcd0b1c76d88670", "name": "Lazarus APT updates its toolset in watering hole attacks", "description": "", "modified": "2025-04-29T05:19:55.329000", "created": "2025-04-29T05:19:55.329000", "tags": [ "copperhedge", "vulnerability exploitation", "threatneedle", "supply chain", "south korea", "agamemnon downloader", "signbt", "apt", "wagent", "watering hole" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "ThreatNeedle - S0665", "display_name": "ThreatNeedle - S0665", "target": null }, { "id": "wAgent", "display_name": "wAgent", "target": null }, { "id": "Agamemnon downloader", "display_name": "Agamemnon downloader", "target": null }, { "id": "SIGNBT", "display_name": "SIGNBT", "target": null }, { "id": "COPPERHEDGE", "display_name": "COPPERHEDGE", "target": null } ], "attack_ids": [ { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [ "Technology", "Finance", "Manufacturing", "Telecommunications" ], "TLP": "white", "cloned_from": "6809f295fb213f24e9df9228", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "355 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://builsf.com/inc/left.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://builsf.com/inc/left.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776601776.1025286 }