{ "type": "URL", "indicator": "https://chatgptitalia.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://chatgptitalia.net/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4142358715, "indicator": "https://chatgptitalia.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69164f0a7f6a5f211525e7f1", "name": "Ransomware Attacks Surge 30% In October 2025", "description": "IoCs Associated with Qilin Ransomware Group, October 2025", "modified": "2025-12-13T21:01:06.712000", "created": "2025-11-13T21:35:06.330000", "tags": [ "october", "opens", "qilin", "anydesk", "sinobi", "lockbit", "suite", "cve202561882", "cve202510035", "cisa advisory", "february", "akira", "ransomhub", "tightvnc", "attack", "warlock", "winscp", "mimikatz", "nirsoft", "teramind", "dragonforce", "ramp", "schtasks", "click", "facebook" ], "references": [ "https://cyble.com/blog/ransomware-attacks-surge-october-2025/" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 13, "URL": 4, "domain": 1 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6904c52fb10f3c6049f27f60", "name": "IOC Blocking", "description": "", "modified": "2025-11-30T14:01:52.236000", "created": "2025-10-31T14:18:22.994000", "tags": [], "references": [ "UST Threat Advisory Report_30.10.2025_Agenda Ransomware Linux Variant Deployment via Remote Management and BYOVD Techniques_ESAF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 44, "domain": 6, "hostname": 3 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6900500615eadb000485fb5b", "name": "IOC - Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques", "description": "Trend\u2122 Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux ransomware variant on Windows systems. This follows a similar attack observed last June 2025, where MeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines.", "modified": "2025-11-27T03:03:26.894000", "created": "2025-10-28T05:09:26.534000", "tags": [ "redacted", "fake captcha", "sha1 detection", "findings http", "disease vector", "phishing site" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 4, "domain": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ff9080068e4441f63effe4", "name": "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques", "description": "Researchers from the University of California, Berkeley, and the Institute of Advanced Technology (IAS) identify and track the spread of a malicious version of the Windows operating system, known as Agenda Ransomware.", "modified": "2025-11-26T15:01:51.539000", "created": "2025-10-27T15:32:16.965000", "tags": [ "redacted", "fake captcha", "deploys linux", "variant", "windows", "through remote", "indicators", "compromise sha1", "findings http", "disease vector", "agenda" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/agenda-ransomware-deploys-linux-variant/agenda-ransomware-iocs.txt", "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Deploys Linux", "display_name": "Deploys Linux", "target": null }, { "id": "Agenda", "display_name": "Agenda", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 6, "domain": 1, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fdf895660fc7bbae3a223f", "name": "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques.", "description": "Agenda ransomware has recently been identified deploying a unique Linux variant on Windows systems, utilizing remote management tools and Bring Your Own Vulnerable Driver (BYOVD) techniques. This cross-platform capability complicates detection efforts for organizations, showcasing how sophisticated modern ransomware attacks have become.\n\nOperating since at least 2025, Agenda has quickly ascended to prominence among ransomware groups, marked by a rapid operational tempo and a broad geographical impact. Their ransomware-as-a-service (RaaS) model has systematically targeted organizations in economically developed nations, with a heightened focus on the United States, Western Europe, and Japan. Notably, their victimology pattern reveals opportunistic targeting across sectors that are particularly sensitive to operational disruptions, such as manufacturing, technology, financial services, and healthcare, all of which present enticing prospects for ransom payment due to the critical nature of their data.", "modified": "2025-11-25T10:05:15.633000", "created": "2025-10-26T10:31:49.498000", "tags": [ "ransomware", "latest news", "research", "articles", "news", "reports", "learn", "redacted", "windows", "trend vision", "trend micro", "micro", "linux", "byovd", "trend", "vision one", "alliance", "stop", "find", "winscp", "powershell", "tools", "protect", "small", "carriers", "voice", "attack", "elite", "qilin", "june", "anydesk", "desktop", "agent", "akira", "impact", "execution", "korean", "coroxy", "agenda", "fake captcha", "deploys linux", "variant", "through remote", "indicators", "compromise sha1", "findings http", "disease vector" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Canada", "United Kingdom of Great Britain and Northern Ireland", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Manufacturing", "Technology", "Financial Services", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "URL": 6, "domain": 2, "hostname": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 13 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 548, "modified_text": "189 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fcba0c7a843806144206e0", "name": "Agenda Ransomware Deploys Linux RAT on Windows Systems", "description": "", "modified": "2025-11-24T11:02:00.391000", "created": "2025-10-25T11:52:44.503000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "UST Threat Advisory Report_30.10.2025_Agenda Ransomware Linux Variant Deployment via Remote Management and BYOVD Techniques_ESAF.pdf", "OCT.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/agenda-ransomware-deploys-linux-variant/agenda-ransomware-iocs.txt", "https://cyble.com/blog/ransomware-attacks-surge-october-2025/", "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "Qilin" ], "malware_families": [ "Agenda", "Deploys linux" ], "industries": [ "Manufacturing", "Financial services", "Technology", "Healthcare" ], "unique_indicators": 916 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/chatgptitalia.net", "whois": "http://whois.domaintools.com/chatgptitalia.net", "domain": "chatgptitalia.net", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69164f0a7f6a5f211525e7f1", "name": "Ransomware Attacks Surge 30% In October 2025", "description": "IoCs Associated with Qilin Ransomware Group, October 2025", "modified": "2025-12-13T21:01:06.712000", "created": "2025-11-13T21:35:06.330000", "tags": [ "october", "opens", "qilin", "anydesk", "sinobi", "lockbit", "suite", "cve202561882", "cve202510035", "cisa advisory", "february", "akira", "ransomhub", "tightvnc", "attack", "warlock", "winscp", "mimikatz", "nirsoft", "teramind", "dragonforce", "ramp", "schtasks", "click", "facebook" ], "references": [ "https://cyble.com/blog/ransomware-attacks-surge-october-2025/" ], "public": 1, "adversary": "Qilin", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 13, "URL": 4, "domain": 1 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6904c52fb10f3c6049f27f60", "name": "IOC Blocking", "description": "", "modified": "2025-11-30T14:01:52.236000", "created": "2025-10-31T14:18:22.994000", "tags": [], "references": [ "UST Threat Advisory Report_30.10.2025_Agenda Ransomware Linux Variant Deployment via Remote Management and BYOVD Techniques_ESAF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 44, "domain": 6, "hostname": 3 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6900500615eadb000485fb5b", "name": "IOC - Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques", "description": "Trend\u2122 Research identified a sophisticated ransomware attack by the Agenda group that deployed their Linux ransomware variant on Windows systems. This follows a similar attack observed last June 2025, where MeshAgent and MeshCentral was used for deployment. In this recent incident, the threat actors utilized a novel deployment method combining WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines.", "modified": "2025-11-27T03:03:26.894000", "created": "2025-10-28T05:09:26.534000", "tags": [ "redacted", "fake captcha", "sha1 detection", "findings http", "disease vector", "phishing site" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 4, "domain": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ff9080068e4441f63effe4", "name": "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques", "description": "Researchers from the University of California, Berkeley, and the Institute of Advanced Technology (IAS) identify and track the spread of a malicious version of the Windows operating system, known as Agenda Ransomware.", "modified": "2025-11-26T15:01:51.539000", "created": "2025-10-27T15:32:16.965000", "tags": [ "redacted", "fake captcha", "deploys linux", "variant", "windows", "through remote", "indicators", "compromise sha1", "findings http", "disease vector", "agenda" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/agenda-ransomware-deploys-linux-variant/agenda-ransomware-iocs.txt", "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Deploys Linux", "display_name": "Deploys Linux", "target": null }, { "id": "Agenda", "display_name": "Agenda", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 6, "domain": 1, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fdf895660fc7bbae3a223f", "name": "Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques.", "description": "Agenda ransomware has recently been identified deploying a unique Linux variant on Windows systems, utilizing remote management tools and Bring Your Own Vulnerable Driver (BYOVD) techniques. This cross-platform capability complicates detection efforts for organizations, showcasing how sophisticated modern ransomware attacks have become.\n\nOperating since at least 2025, Agenda has quickly ascended to prominence among ransomware groups, marked by a rapid operational tempo and a broad geographical impact. Their ransomware-as-a-service (RaaS) model has systematically targeted organizations in economically developed nations, with a heightened focus on the United States, Western Europe, and Japan. Notably, their victimology pattern reveals opportunistic targeting across sectors that are particularly sensitive to operational disruptions, such as manufacturing, technology, financial services, and healthcare, all of which present enticing prospects for ransom payment due to the critical nature of their data.", "modified": "2025-11-25T10:05:15.633000", "created": "2025-10-26T10:31:49.498000", "tags": [ "ransomware", "latest news", "research", "articles", "news", "reports", "learn", "redacted", "windows", "trend vision", "trend micro", "micro", "linux", "byovd", "trend", "vision one", "alliance", "stop", "find", "winscp", "powershell", "tools", "protect", "small", "carriers", "voice", "attack", "elite", "qilin", "june", "anydesk", "desktop", "agent", "akira", "impact", "execution", "korean", "coroxy", "agenda", "fake captcha", "deploys linux", "variant", "through remote", "indicators", "compromise sha1", "findings http", "disease vector" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Canada", "United Kingdom of Great Britain and Northern Ireland", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [ "Manufacturing", "Technology", "Financial Services", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "URL": 6, "domain": 2, "hostname": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 13 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 548, "modified_text": "189 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fcba0c7a843806144206e0", "name": "Agenda Ransomware Deploys Linux RAT on Windows Systems", "description": "", "modified": "2025-11-24T11:02:00.391000", "created": "2025-10-25T11:52:44.503000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "190 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://chatgptitalia.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://chatgptitalia.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780415927.0340126 }