{ "type": "URL", "indicator": "https://chat.icbcbc.com.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chat.icbcbc.com.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3926085886, "indicator": "https://chat.icbcbc.com.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09f8a35ce1c4ed81629523", "name": "gh0st shadows", "description": "msudosos, have a look", "modified": "2026-05-17T17:19:31.602000", "created": "2026-05-17T17:19:31.602000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 342, "hostname": 405, "URL": 437 }, "indicator_count": 1184, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e65444a9e7205d738ce5f", "name": "Trojan:Win32/Magania.DSK!MTB | IPV4 114.114.114.114 Attacking", "description": "Consistently found in multiple attacks against healthcare organizations, individuals and technology businesses. There are complaints that individuals photos from cameras were being sent to this IP. Known malicious IP.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T13:57:24.444000", "tags": [ "ipv4", "added active", "tulach", "as174 cogent", "china unknown", "china", "backdoor", "passive dns", "entries", "scan endpoints", "all scoreblue", "pulse pulses", "twitter", "refloadapihash", "urls", "runtime process", "localappdata", "sha256", "size", "sha1", "programfiles", "prefetch8", "prefetch1", "unicode text", "date", "hybrid", "click", "strings", "contact", "unicode", "rgba", "type data", "crlf line", "windir", "malicious", "general" ], "references": [ "https://otx.alienvault.com/pulse/669e42fea462f0c8f8db32a1", "AbuseIPDB https://www.abuseipdb.com \u203a whois WHOIS 114.114.114.114 | Nanjing Xinfeng Information Technologies Inc. 114.114.114.114", "IP Address Information. ISP, Nanjing Xinfeng Information Technologies Inc. Usage Type, Data Center/Web Hosting/Transit. Hostname", "IPV4 114.114.114.114: Verdict Suspicious Reverse DNS public1.114dns.com Location China flag China ASN AS174 cogent communications", "Historical OTX telemetry IP mentioned on Twitter 11 domains resolved in last 7 days 21 domains resolved in last 30 days", "500+ domains resolved in all time 47 top-level domains | Exploited CVEs All Time: 2017-0144 2002-0013", "Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB , ALF:HeraklezEval:Trojan:Win32/AutoItDownloader.J!ibt", "Antivirus Detections: !ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt , ALFPER:RefLoadApiHash ,", "Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Backdoor:Win32/PcClient.ZR , Can't access file", "DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work TLD Query for .cc TLD" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [ "Healthcare", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 94, "URL": 336, "FileHash-SHA256": 159, "domain": 128, "hostname": 117, "FileHash-SHA1": 91 }, "indicator_count": 925, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Backdoor:Win32/PcClient.ZR , Can't access file", "AbuseIPDB https://www.abuseipdb.com \u203a whois WHOIS 114.114.114.114 | Nanjing Xinfeng Information Technologies Inc. 114.114.114.114", "Antivirus Detections: !ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt , ALFPER:RefLoadApiHash ,", "DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work TLD Query for .cc TLD", "https://otx.alienvault.com/pulse/669e42fea462f0c8f8db32a1", "IP Address Information. ISP, Nanjing Xinfeng Information Technologies Inc. Usage Type, Data Center/Web Hosting/Transit. Hostname", "Historical OTX telemetry IP mentioned on Twitter 11 domains resolved in last 7 days 21 domains resolved in last 30 days", "500+ domains resolved in all time 47 top-level domains | Exploited CVEs All Time: 2017-0144 2002-0013", "IPV4 114.114.114.114: Verdict Suspicious Reverse DNS public1.114dns.com Location China flag China ASN AS174 cogent communications", "114.114.114.114", "Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB , ALF:HeraklezEval:Trojan:Win32/AutoItDownloader.J!ibt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/magania.dsk!mtb" ], "industries": [ "Technology", "Healthcare", "Media" ], "unique_indicators": 2091 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/icbcbc.com.cn", "whois": "http://whois.domaintools.com/icbcbc.com.cn", "domain": "icbcbc.com.cn", "hostname": "chat.icbcbc.com.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a0a0e71af8047801da346a8", "name": "Credit: Skocherhan \"gh0st shadows\" clone [ty sk]", "description": "", "modified": "2026-05-20T08:57:02.834000", "created": "2026-05-17T18:52:33.147000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6a09f8a35ce1c4ed81629523", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 520, "hostname": 534, "URL": 487, "IPv4": 17, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 16, "CIDR": 2, "email": 2 }, "indicator_count": 1586, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09f8a35ce1c4ed81629523", "name": "gh0st shadows", "description": "msudosos, have a look", "modified": "2026-05-17T17:19:31.602000", "created": "2026-05-17T17:19:31.602000", "tags": [], "references": [ "114.114.114.114" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 342, "hostname": 405, "URL": 437 }, "indicator_count": 1184, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669e65444a9e7205d738ce5f", "name": "Trojan:Win32/Magania.DSK!MTB | IPV4 114.114.114.114 Attacking", "description": "Consistently found in multiple attacks against healthcare organizations, individuals and technology businesses. There are complaints that individuals photos from cameras were being sent to this IP. Known malicious IP.", "modified": "2024-08-21T11:03:59.106000", "created": "2024-07-22T13:57:24.444000", "tags": [ "ipv4", "added active", "tulach", "as174 cogent", "china unknown", "china", "backdoor", "passive dns", "entries", "scan endpoints", "all scoreblue", "pulse pulses", "twitter", "refloadapihash", "urls", "runtime process", "localappdata", "sha256", "size", "sha1", "programfiles", "prefetch8", "prefetch1", "unicode text", "date", "hybrid", "click", "strings", "contact", "unicode", "rgba", "type data", "crlf line", "windir", "malicious", "general" ], "references": [ "https://otx.alienvault.com/pulse/669e42fea462f0c8f8db32a1", "AbuseIPDB https://www.abuseipdb.com \u203a whois WHOIS 114.114.114.114 | Nanjing Xinfeng Information Technologies Inc. 114.114.114.114", "IP Address Information. ISP, Nanjing Xinfeng Information Technologies Inc. Usage Type, Data Center/Web Hosting/Transit. Hostname", "IPV4 114.114.114.114: Verdict Suspicious Reverse DNS public1.114dns.com Location China flag China ASN AS174 cogent communications", "Historical OTX telemetry IP mentioned on Twitter 11 domains resolved in last 7 days 21 domains resolved in last 30 days", "500+ domains resolved in all time 47 top-level domains | Exploited CVEs All Time: 2017-0144 2002-0013", "Antivirus Detections: !#SIGATTR:IEProxyChange , ALF:Backdoor:Win64/Meterpreter.AB!MTB , ALF:HeraklezEval:Trojan:Win32/AutoItDownloader.J!ibt", "Antivirus Detections: !ALF:PUA:Block:VrBrothers.R!MTB , ALF:Trojan:Win32/Cassini_6d4ebdc9!ibt , ALFPER:RefLoadApiHash ,", "Antivirus Detections: Backdoor:Linux/Dofloo.A!MTB , Backdoor:Linux/Gafgyt.AF!MTB , Backdoor:Win32/PcClient.ZR , Can't access file", "DYNAMIC_DNS Query to a *.ns1.name Domain Query to a *.top domain - Likely Hostile Observed DNS Query to .work TLD Query for .cc TLD" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [ "Healthcare", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 94, "URL": 336, "FileHash-SHA256": 159, "domain": 128, "hostname": 117, "FileHash-SHA1": 91 }, "indicator_count": 925, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chat.icbcbc.com.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chat.icbcbc.com.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780308348.0469878 }