{ "type": "URL", "indicator": "https://cdn.0c.sk/1101012.zip.", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn.0c.sk/1101012.zip.", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3843147641, "indicator": "https://cdn.0c.sk/1101012.zip.", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "65dc4f3ef645bae1d46a7ac3", "name": "Attackers leverage PyPI to sideload malicious DLLs", "description": "", "modified": "2024-02-26T08:43:42.513000", "created": "2024-02-26T08:43:42.513000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "february", "np6helperhttper", "dll sideloading", "iocs", "state", "cobalt strike", "download", "malicious", "close", "python", "june", "ransomware" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChaiPatti", "id": "217274", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217274/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 10, "FileHash-SHA256": 3, "URL": 4, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "825 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d5e5ce07301dbbd60ee063", "name": "Attackers leverage PyPI to sideload malicious DLLs", "description": "Open-source platforms and code are increasingly being used to deliver malware to software supply chains, according to researchers from ReversingLabs, who discovered two suspicious packages on the Python package manager.", "modified": "2024-02-21T12:00:14.222000", "created": "2024-02-21T12:00:14.222000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "np6helperhttper", "dll sideloading", "iocs", "state", "supply chain", "cobalt strike", "february", "download", "malware", "malicious", "close", "python", "june", "enterprise strategy" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls" ], "public": 1, "adversary": "Enterprise Strategy", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 10, "FileHash-SHA256": 3, "URL": 5, "hostname": 2 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "830 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d4bd2862efabfbe46ae8e3", "name": "New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics", "description": "Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.\n\nThe packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.", "modified": "2024-02-20T14:54:31.808000", "created": "2024-02-20T14:54:31.808000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "np6helperhttper", "dll sideloading", "iocs", "state", "supply chain", "cobalt strike", "february", "download", "malware", "malicious", "close", "python", "june", "enterprise strategy" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls", "https://thehackernews.com/2024/02/new-malicious-pypi-packages-caught.html" ], "public": 1, "adversary": "Enterprise Strategy", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 295, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 10, "URL": 4, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "831 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls", "https://thehackernews.com/2024/02/new-malicious-pypi-packages-caught.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Enterprise Strategy" ], "malware_families": [ "Cobalt strike" ], "industries": [], "unique_indicators": 24 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/0c.sk", "whois": "http://whois.domaintools.com/0c.sk", "domain": "0c.sk", "hostname": "cdn.0c.sk" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "65dc4f3ef645bae1d46a7ac3", "name": "Attackers leverage PyPI to sideload malicious DLLs", "description": "", "modified": "2024-02-26T08:43:42.513000", "created": "2024-02-26T08:43:42.513000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "february", "np6helperhttper", "dll sideloading", "iocs", "state", "cobalt strike", "download", "malicious", "close", "python", "june", "ransomware" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChaiPatti", "id": "217274", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217274/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 10, "FileHash-SHA256": 3, "URL": 4, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "825 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d5e5ce07301dbbd60ee063", "name": "Attackers leverage PyPI to sideload malicious DLLs", "description": "Open-source platforms and code are increasingly being used to deliver malware to software supply chains, according to researchers from ReversingLabs, who discovered two suspicious packages on the Python package manager.", "modified": "2024-02-21T12:00:14.222000", "created": "2024-02-21T12:00:14.222000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "np6helperhttper", "dll sideloading", "iocs", "state", "supply chain", "cobalt strike", "february", "download", "malware", "malicious", "close", "python", "june", "enterprise strategy" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls" ], "public": 1, "adversary": "Enterprise Strategy", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 10, "FileHash-SHA256": 3, "URL": 5, "hostname": 2 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "830 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d4bd2862efabfbe46ae8e3", "name": "New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics", "description": "Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called DLL side-loading to circumvent detection by security software and run malicious code.\n\nThe packages, named NP6HelperHttptest and NP6HelperHttper, were each downloaded 537 and 166 times, respectively, before they were taken down.", "modified": "2024-02-20T14:54:31.808000", "created": "2024-02-20T14:54:31.808000", "tags": [ "pypi", "software supply", "reversinglabs", "chain security", "strong", "np6helperhttper", "dll sideloading", "iocs", "state", "supply chain", "cobalt strike", "february", "download", "malware", "malicious", "close", "python", "june", "enterprise strategy" ], "references": [ "https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls", "https://thehackernews.com/2024/02/new-malicious-pypi-packages-caught.html" ], "public": 1, "adversary": "Enterprise Strategy", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 295, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 10, "URL": 4, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "831 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn.0c.sk/1101012.zip.", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn.0c.sk/1101012.zip.", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780250367.620333 }