{ "type": "URL", "indicator": "https://calipology.co.uk", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://calipology.co.uk", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329190290, "indicator": "https://calipology.co.uk", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee2299c67d16921c030246", "name": "Calipology / SystemAutoUpdater - Trojanized RustDesk via Signed MSTeams Installer.", "description": "A recent investigation has revealed that a trojanized Microsoft Teams installer, named MSTeamsSetup.exe, is being used to distribute a malicious version of the RustDesk remote access client. This executable file, masquerading as legitimate software, is signed with a fraudulent certificate issued to Zlatin Stamatov by Certum. The command-and-control (C2) domain associated with this operation, http://mon.systemautoupdater.com, resolves to an IP address of 23.27.141.44, which is hosted by EvoXT, a provider linked to previous cybercrime activities involving the GeorgeGinx/Striker investigation. The fraudulent certificate suggests possible identity deception linked to a legitimate UK brake caliper refurbishment business, http://calipology.co.uk.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:35:05.503000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "striker c2", "tls certificate", "c2 server", "rustdesk", "evoxt", "godaddy", "code signing", "certum", "bots management", "ghost", "telegram", "first", "code", "crypto", "evolution" ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 4, "email": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [], "unique_indicators": 1011 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/calipology.co.uk", "whois": "http://whois.domaintools.com/calipology.co.uk", "domain": "calipology.co.uk", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee2299c67d16921c030246", "name": "Calipology / SystemAutoUpdater - Trojanized RustDesk via Signed MSTeams Installer.", "description": "A recent investigation has revealed that a trojanized Microsoft Teams installer, named MSTeamsSetup.exe, is being used to distribute a malicious version of the RustDesk remote access client. This executable file, masquerading as legitimate software, is signed with a fraudulent certificate issued to Zlatin Stamatov by Certum. The command-and-control (C2) domain associated with this operation, http://mon.systemautoupdater.com, resolves to an IP address of 23.27.141.44, which is hosted by EvoXT, a provider linked to previous cybercrime activities involving the GeorgeGinx/Striker investigation. The fraudulent certificate suggests possible identity deception linked to a legitimate UK brake caliper refurbishment business, http://calipology.co.uk.", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:35:05.503000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "striker c2", "tls certificate", "c2 server", "rustdesk", "evoxt", "godaddy", "code signing", "certum", "bots management", "ghost", "telegram", "first", "code", "crypto", "evolution" ], "references": [ "https://intel.breakglass.tech/post/systemautoupdater-23-27-141-44" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 4, "email": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://calipology.co.uk", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://calipology.co.uk", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780176044.2532597 }