{ "type": "URL", "indicator": "https://chaingrown.com/manage/manage.asp", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chaingrown.com/manage/manage.asp", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3848049625, "indicator": "https://chaingrown.com/manage/manage.asp", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "65e0cb765723aa9cfaa6b362", "name": "New Malicious PyPI Packages used by Lazarus", "description": "JPCERT/CC confirmed that Lazarus has released malicious Python packages to PyPI, the official Python repository. The packages pycryptoenv, pycryptoconf, quasarlib, and swapmempool contain malware. The package names pycryptoenv and pycryptoconf target typos when installing legitimate packages. The malware is Comebacker, which decodes and executes a DLL sending HTTP requests to C2 servers. The DLL receives and runs executable files. The packages were downloaded 300 to 1200 times, showing Lazarus targets typos for infection.", "modified": "2024-03-30T18:00:32.423000", "created": "2024-02-29T18:22:46.516000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 345, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387161, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667ac513b35565d4fd18bad1", "name": "\u7591\u4f3cLazarus\uff08APT-Q-1\uff09\u6d89\u53canpm\u5305\u4f9b\u5e94\u94fe\u7684\u653b\u51fb\u6837\u672c\u5206\u6790", "description": "", "modified": "2024-07-25T13:00:07.876000", "created": "2024-06-25T13:24:35.337000", "tags": [ "strong", "appdata", "pe dll", "stage", "payload", "c https", "getprocfunc", "pec2c2ip", "npmnpm", "c http", "alpha" ], "references": [ "https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hiroki", "id": "4606", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2, "hostname": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e157f31c04a5fcb369f499", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-01T04:22:11.619000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e0cb765723aa9cfaa6b362", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 5, "domain": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e6c8d3077298f165166f13", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-05T07:25:07.648000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e157f31c04a5fcb369f499", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e82c7d86c8128b32baf62c", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-06T08:42:37.969000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e6c8d3077298f165166f13", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html", "https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q" ], "related": { "alienvault": { "adversary": [ "Lazarus" ], "malware_families": [ "Pycryptoconf", "Swapmempool", "Pycryptoenv", "Quasarlib", "Comebacker" ], "industries": [], "unique_indicators": 26 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Pycryptoconf", "Swapmempool", "Pycryptoenv", "Quasarlib", "Comebacker" ], "industries": [], "unique_indicators": 48 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/chaingrown.com", "whois": "http://whois.domaintools.com/chaingrown.com", "domain": "chaingrown.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "65e0cb765723aa9cfaa6b362", "name": "New Malicious PyPI Packages used by Lazarus", "description": "JPCERT/CC confirmed that Lazarus has released malicious Python packages to PyPI, the official Python repository. The packages pycryptoenv, pycryptoconf, quasarlib, and swapmempool contain malware. The package names pycryptoenv and pycryptoconf target typos when installing legitimate packages. The malware is Comebacker, which decodes and executes a DLL sending HTTP requests to C2 servers. The DLL receives and runs executable files. The packages were downloaded 300 to 1200 times, showing Lazarus targets typos for infection.", "modified": "2024-03-30T18:00:32.423000", "created": "2024-02-29T18:22:46.516000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 345, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387161, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667ac513b35565d4fd18bad1", "name": "\u7591\u4f3cLazarus\uff08APT-Q-1\uff09\u6d89\u53canpm\u5305\u4f9b\u5e94\u94fe\u7684\u653b\u51fb\u6837\u672c\u5206\u6790", "description": "", "modified": "2024-07-25T13:00:07.876000", "created": "2024-06-25T13:24:35.337000", "tags": [ "strong", "appdata", "pe dll", "stage", "payload", "c https", "getprocfunc", "pec2c2ip", "npmnpm", "c http", "alpha" ], "references": [ "https://mp.weixin.qq.com/s/f5YE12w3x3wad5EO0EB53Q" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hiroki", "id": "4606", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2, "hostname": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e157f31c04a5fcb369f499", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-01T04:22:11.619000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e0cb765723aa9cfaa6b362", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 5, "domain": 3 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e6c8d3077298f165166f13", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-05T07:25:07.648000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e157f31c04a5fcb369f499", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e82c7d86c8128b32baf62c", "name": "New Malicious PyPI Packages used by Lazarus", "description": "", "modified": "2024-03-30T18:00:32.423000", "created": "2024-03-06T08:42:37.969000", "tags": [ "python", "lazarus", "pycryptoconf", "swapmempool", "quasarlib", "pycryptoenv", "pypi", "comebacker", "typosquatting" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "pycryptoenv", "display_name": "pycryptoenv", "target": null }, { "id": "pycryptoconf", "display_name": "pycryptoconf", "target": null }, { "id": "quasarlib", "display_name": "quasarlib", "target": null }, { "id": "swapmempool", "display_name": "swapmempool", "target": null }, { "id": "comebacker", "display_name": "comebacker", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "65e6c8d3077298f165166f13", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "URL": 4, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chaingrown.com/manage/manage.asp", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chaingrown.com/manage/manage.asp", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780511449.3258026 }