{ "type": "URL", "indicator": "https://clickfilehere.site/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://clickfilehere.site/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4143655122, "indicator": "https://clickfilehere.site/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6900fdac7825947c6ae41954", "name": "Malicious cracks on LinkedIn: campaign that distributes stealers and hacktools (ProcessHacker and variants) via \u201cfree download\u201d links", "description": "A sophisticated cybercrime campaign is exploiting LinkedIn to distribute malware. Actors create seemingly legitimate posts offering \"cracks\" or \"free downloads\" of high-value software like Adobe Photoshop and Acrobat. Links redirect users to warez sites or cloud storage (MediaFire, S3) hosting compressed files with malicious executables. Analysis confirms infostealers, keyloggers, and backdoor modules for persistent C2. The malware steals session cookies, browser credentials, and cryptocurrency keys, enabling Account Takeover (ATO) and asset theft. Compromised accounts are used to further propagate the campaign, creating a self-amplifying attack cycle.", "modified": "2025-10-28T17:36:15.155000", "created": "2025-10-28T17:30:19.182000", "tags": [], "references": [ "https://www.virustotal.com/gui/file/9b17eea3f959fbee407f151859da1a8ab18290a6c2a1f41e15824362c7200dc3/detection", "https://www.helpnetsecurity.com/2024/07/16/malicious-ads-facebook-linkedin/?utm_source=chatgpt.com", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service?utm_source=chatgpt.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool:Win64/InfoStealer", "display_name": "HackTool:Win64/InfoStealer", "target": "/malware/HackTool:Win64/InfoStealer" }, { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Azurejoga", "id": "258958", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 37, "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service?utm_source=chatgpt.com", "https://www.virustotal.com/gui/file/9b17eea3f959fbee407f151859da1a8ab18290a6c2a1f41e15824362c7200dc3/detection", "OCT.pdf", "https://www.helpnetsecurity.com/2024/07/16/malicious-ads-facebook-linkedin/?utm_source=chatgpt.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S" ], "malware_families": [ "Hacktool:win64/infostealer", "Lummastealer", "Lummac2", "Privateloader" ], "industries": [], "unique_indicators": 859 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/clickfilehere.site", "whois": "http://whois.domaintools.com/clickfilehere.site", "domain": "clickfilehere.site", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6900fdac7825947c6ae41954", "name": "Malicious cracks on LinkedIn: campaign that distributes stealers and hacktools (ProcessHacker and variants) via \u201cfree download\u201d links", "description": "A sophisticated cybercrime campaign is exploiting LinkedIn to distribute malware. Actors create seemingly legitimate posts offering \"cracks\" or \"free downloads\" of high-value software like Adobe Photoshop and Acrobat. Links redirect users to warez sites or cloud storage (MediaFire, S3) hosting compressed files with malicious executables. Analysis confirms infostealers, keyloggers, and backdoor modules for persistent C2. The malware steals session cookies, browser credentials, and cryptocurrency keys, enabling Account Takeover (ATO) and asset theft. Compromised accounts are used to further propagate the campaign, creating a self-amplifying attack cycle.", "modified": "2025-10-28T17:36:15.155000", "created": "2025-10-28T17:30:19.182000", "tags": [], "references": [ "https://www.virustotal.com/gui/file/9b17eea3f959fbee407f151859da1a8ab18290a6c2a1f41e15824362c7200dc3/detection", "https://www.helpnetsecurity.com/2024/07/16/malicious-ads-facebook-linkedin/?utm_source=chatgpt.com", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service?utm_source=chatgpt.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HackTool:Win64/InfoStealer", "display_name": "HackTool:Win64/InfoStealer", "target": "/malware/HackTool:Win64/InfoStealer" }, { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Azurejoga", "id": "258958", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 37, "FileHash-MD5": 7, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://clickfilehere.site/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://clickfilehere.site/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780396720.2140975 }