{ "type": "URL", "indicator": "https://chat.openai.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chat.openai.com", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain openai.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4161209398, "indicator": "https://chat.openai.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69db4f2dc509a1e8210f1b68", "name": "CAPE Sandbox", "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".", "modified": "2026-04-12T08:36:17.724000", "created": "2026-04-12T07:52:13.594000", "tags": [ "network admin", "civicplus", "net192", "net1920000", "houston", "suite e", "city", "server", "select contact", "domain holder", "date", "form", "submission", "ssdeep", "file type", "text text", "magic unicode", "utf8", "crlf line", "trid text", "magika txt", "file size", "chatgpt", "doctype html", "meta", "ai system", "research", "preview", "gmt server", "self", "dynamic", "html info", "title chatgpt", "meta tags", "thumbprint" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 602, "domain": 166, "email": 37, "hostname": 837, "FileHash-MD5": 125, "FileHash-SHA1": 136, "FileHash-SHA256": 1230, "IPv4": 399 }, "indicator_count": 3534, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693bc607c5d52f04c149f58d", "name": "REACT2SHELL: EXPLOITATION IN THE WILD -> THE RAVEN FILE", "description": "In The Raven File, an Independent Security Researcher, investigates the React2Shell RCE Exploit and finds potential targets for cyber criminals. Popular targets like Lululemon, Porsche, Starbucks etc are found in the Attacker's list of infection.", "modified": "2026-01-11T07:03:30.749000", "created": "2025-12-12T07:36:39.111000", "tags": [ "boundary string", "lululemon", "monero mining", "xmrig", "victim list", "react server", "components", "threat actor", "react2shell rce", "exploit", "attack", "cyber", "next", "target", "hunt", "facebook", "react2shell", "CVE-2025\u201355182" ], "references": [ "https://theravenfile.com/2025/12/12/react2shell-exploitation-in-the-wild/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Brazil", "India" ], "malware_families": [ { "id": "Trojan:MSIL/XMrigMiner", "display_name": "Trojan:MSIL/XMrigMiner", "target": "/malware/Trojan:MSIL/XMrigMiner" } ], "attack_ids": [], "industries": [ "Food", "Beverage", "Sports", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 47, "hostname": 457 }, "indicator_count": 1076, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://theravenfile.com/2025/12/12/react2shell-exploitation-in-the-wild/", "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:msil/xmrigminer" ], "industries": [ "Beverage", "Food", "Entertainment", "Sports" ], "unique_indicators": 3028 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/openai.com", "whois": "http://whois.domaintools.com/openai.com", "domain": "openai.com", "hostname": "chat.openai.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69db4f2dc509a1e8210f1b68", "name": "CAPE Sandbox", "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".", "modified": "2026-04-12T08:36:17.724000", "created": "2026-04-12T07:52:13.594000", "tags": [ "network admin", "civicplus", "net192", "net1920000", "houston", "suite e", "city", "server", "select contact", "domain holder", "date", "form", "submission", "ssdeep", "file type", "text text", "magic unicode", "utf8", "crlf line", "trid text", "magika txt", "file size", "chatgpt", "doctype html", "meta", "ai system", "research", "preview", "gmt server", "self", "dynamic", "html info", "title chatgpt", "meta tags", "thumbprint" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 602, "domain": 166, "email": 37, "hostname": 837, "FileHash-MD5": 125, "FileHash-SHA1": 136, "FileHash-SHA256": 1230, "IPv4": 399 }, "indicator_count": 3534, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693bc607c5d52f04c149f58d", "name": "REACT2SHELL: EXPLOITATION IN THE WILD -> THE RAVEN FILE", "description": "In The Raven File, an Independent Security Researcher, investigates the React2Shell RCE Exploit and finds potential targets for cyber criminals. Popular targets like Lululemon, Porsche, Starbucks etc are found in the Attacker's list of infection.", "modified": "2026-01-11T07:03:30.749000", "created": "2025-12-12T07:36:39.111000", "tags": [ "boundary string", "lululemon", "monero mining", "xmrig", "victim list", "react server", "components", "threat actor", "react2shell rce", "exploit", "attack", "cyber", "next", "target", "hunt", "facebook", "react2shell", "CVE-2025\u201355182" ], "references": [ "https://theravenfile.com/2025/12/12/react2shell-exploitation-in-the-wild/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Germany", "Brazil", "India" ], "malware_families": [ { "id": "Trojan:MSIL/XMrigMiner", "display_name": "Trojan:MSIL/XMrigMiner", "target": "/malware/Trojan:MSIL/XMrigMiner" } ], "attack_ids": [], "industries": [ "Food", "Beverage", "Sports", "Entertainment" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 47, "hostname": 457 }, "indicator_count": 1076, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chat.openai.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chat.openai.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638773.4270246 }