{ "type": "URL", "indicator": "https://checkmarx.zone/raw", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://checkmarx.zone/raw", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4280305294, "indicator": "https://checkmarx.zone/raw", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69c2ec9e68be792f27e3db61", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:57:18.143000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2ec9f15970b4bf1f44f0c", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:57:19.150000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2ecd8b146e02a0f5f774c", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:58:16.621000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-05-01T08:03:52.918000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "CIDR": 1 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-04-30T13:11:24.721000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2b91654d87ca1408b462e", "name": "com.apple.aurora.apptelemetry.mas_messages_server.e2esendtimereceiver", "description": "", "modified": "2026-03-25T02:50:06.516000", "created": "2026-03-24T16:17:26.846000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "hostname": 2, "domain": 2, "FileHash-SHA256": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem", "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "TeamPCP" ], "malware_families": [ "Kics", "Teampcp" ], "industries": [], "unique_indicators": 1609 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/checkmarx.zone", "whois": "http://whois.domaintools.com/checkmarx.zone", "domain": "checkmarx.zone", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69c2ec9e68be792f27e3db61", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:57:18.143000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2ec9f15970b4bf1f44f0c", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:57:19.150000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2ecd8b146e02a0f5f774c", "name": "How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM", "description": "Find out more about Snyk, the artificial intelligence security platform, at the RSAC 2026 in Las Vegas, which will host a conference on the future of app security and software security.", "modified": "2026-05-23T00:06:10.121000", "created": "2026-03-24T19:58:16.621000", "tags": [ "snyk-security-intel", "americas", "devops", "snyk-apprisk", "python", "cloud-security", "ai", "developer", "application-security", "secrets", "security", "vulnerability-insights", "code-security", "security-labs", "snyk-open-source", "supply-chain-security", "container-security", "tech", "kubernetes", "blog", "awareness", "aspm", "docker", "devsecops", "open-source-security", "ci-cd", "trivy", "litellm", "pypi", "march", "hacker news", "snyk", "kics", "service", "pcpcat", "hooks", "mcmahon", "bitcoin", "telegram", "phase", "spaceship", "grep" ], "references": [ "https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/", "https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "KICS", "display_name": "KICS", "target": null }, { "id": "TeamPCP", "display_name": "TeamPCP", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "landshark11", "id": "75138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 2, "domain": 5, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cc5a4859361602b172249c", "name": "ColorMap PNG", "description": "d76f5631d55f301608ca14b38d282e02\n810afcebb23642b681d151a81fdcca3fcc43f96a\n04d05978fdb111358073ab0524e5c1fafc0826615c206987618416b8bd8a4747\n48:4othnooOT1/qVbqdGIVp4NWjORVFQ55AsybKpGbDtzD1thJYERaSuXWB6:dn584VbqdTp4jZvsybKYb1lJYEa\nT135514DC4AB7C051C705B439F78E195F6656C46931E88CF4AA4548EF35617372C0A7860\nPNG \nmultimedia\nimage\npng\nPNG image data, 1233 x 100, 4-bit colormap, non-interlaced\nPortable Network Graphics (100%)", "modified": "2026-05-01T08:03:52.918000", "created": "2026-03-31T23:35:36.259000", "tags": [ "png image", "graphics" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 27, "FileHash-SHA1": 21, "domain": 24, "hostname": 30, "URL": 59, "CIDR": 1 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc674b257616b45f5a857", "name": "Ringing in Chaos: How TeamPCP Weaponized the Telnyx Python SDK - Hexastrike Cybersecurity", "description": "", "modified": "2026-04-30T13:11:24.721000", "created": "2026-03-31T13:04:52.869000", "tags": [ "teampcp", "litellm", "python", "pypi", "kubernetes", "trivy", "checkmarx", "telnyx", "windows", "stage", "vect", "harvester", "dash", "teamtnt", "stop", "hunt", "loader", "service" ], "references": [ "https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 8, "domain": 4, "hostname": 3 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c2b91654d87ca1408b462e", "name": "com.apple.aurora.apptelemetry.mas_messages_server.e2esendtimereceiver", "description": "", "modified": "2026-03-25T02:50:06.516000", "created": "2026-03-24T16:17:26.846000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "hostname": 2, "domain": 2, "FileHash-SHA256": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "67 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://checkmarx.zone/raw", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://checkmarx.zone/raw", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234564.2233477 }