{ "type": "URL", "indicator": "https://cloud.keepasses.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cloud.keepasses.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3901114413, "indicator": "https://cloud.keepasses.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66616b89c93e2fdea5783ecf", "name": "Operation Crimson Palace: A Technical Deep Dive", "description": "Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.", "modified": "2024-07-06T07:03:30.324000", "created": "2024-06-06T07:55:53.329000", "tags": [ "cobalt strike", "cyberespionage", "powheartbeat", "credential access", "pocoproxy", "intrusion", "malware", "rudebird", "phantomnet", "ccoredoor", "eagerbee", "lateral movement", "impersoni-fake-ator", "nupakage" ], "references": [ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv" ], "public": 1, "adversary": "Chinese state actors", "targeted_countries": [], "malware_families": [ { "id": "NUPAKAGE", "display_name": "NUPAKAGE", "target": null }, { "id": "EAGERBEE", "display_name": "EAGERBEE", "target": null }, { "id": "CCoreDoor", "display_name": "CCoreDoor", "target": null }, { "id": "PhantomNet", "display_name": "PhantomNet", "target": null }, { "id": "PowHeartBeat", "display_name": "PowHeartBeat", "target": null }, { "id": "RUDEBIRD", "display_name": "RUDEBIRD", "target": null }, { "id": "Impersoni-Fake-Ator", "display_name": "Impersoni-Fake-Ator", "target": null }, { "id": "PocoProxy", "display_name": "PocoProxy", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 372, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 8, "hostname": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 82 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 386953, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6661770ce7c47df731b164b7", "name": "Operation Crimson Palace: A Technical Deep Dive - Sophos News", "description": "This is the full report from Sophos Labs on the Chinese government cyberespionage campaign, Operation Crimson Palace, which was carried out in Southeast Asia in late 2022 and is now being investigated by CrowdStrike.", "modified": "2024-07-06T08:03:26.984000", "created": "2024-06-06T08:45:00.691000", "tags": [ "cluster charlie", "march", "cluster alpha", "sophos mdr", "sophos", "sophos labs", "ccoredoor", "pocoproxy", "cluster bravo", "defense evasion", "june", "august", "april", "powershell", "agent", "alpha", "psexec", "cobalt strike", "later", "explorer", "smanager", "info", "code", "drweb", "dump", "lsass", "malware", "virustotal", "loader", "sessionenv", "ator", "phantomnet", "cobalt beacon", "powheartbeat", "eagerbee" ], "references": [ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SessionEnv", "display_name": "SessionEnv", "target": null }, { "id": "Ator", "display_name": "Ator", "target": null }, { "id": "PhantomNet", "display_name": "PhantomNet", "target": null }, { "id": "CCoreDoor", "display_name": "CCoreDoor", "target": null }, { "id": "Cobalt Beacon", "display_name": "Cobalt Beacon", "target": null }, { "id": "Sophos", "display_name": "Sophos", "target": null }, { "id": "PocoProxy", "display_name": "PocoProxy", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "PowHeartBeat", "display_name": "PowHeartBeat", "target": null }, { "id": "EAGERBEE", "display_name": "EAGERBEE", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4, "hostname": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv", "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv" ], "related": { "alienvault": { "adversary": [ "Chinese state actors" ], "malware_families": [ "Impersoni-fake-ator", "Pocoproxy", "Powheartbeat", "Phantomnet", "Eagerbee", "Rudebird", "Cobalt strike - s0154", "Nupakage", "Ccoredoor" ], "industries": [ "Government" ], "unique_indicators": 162 }, "other": { "adversary": [], "malware_families": [ "Cobalt beacon", "Pocoproxy", "Powheartbeat", "Phantomnet", "Sophos", "Eagerbee", "Ator", "Ccoredoor", "Cobalt strike", "Sessionenv" ], "industries": [ "Government" ], "unique_indicators": 24 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/keepasses.com", "whois": "http://whois.domaintools.com/keepasses.com", "domain": "keepasses.com", "hostname": "cloud.keepasses.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66616b89c93e2fdea5783ecf", "name": "Operation Crimson Palace: A Technical Deep Dive", "description": "Sophos Managed Detection and Response initiated a threat hunt across customers after detecting abuse of a vulnerable VMware executable. The hunt uncovered a complex, persistent cyberespionage campaign by Chinese state-sponsored actors targeting a high-profile government organization in Southeast Asia. Three distinct clusters of intrusion activity, designated Alpha, Bravo, and Charlie, were identified operating from at least March to December 2023. This report provides an in-depth technical analysis of the tactics, techniques, and procedures used by each cluster, including credential access, lateral movement, persistence mechanisms, command and control infrastructure, defense evasion tactics, and data exfiltration methods. It also details previous compromises observed within the same organization dating back to early 2022.", "modified": "2024-07-06T07:03:30.324000", "created": "2024-06-06T07:55:53.329000", "tags": [ "cobalt strike", "cyberespionage", "powheartbeat", "credential access", "pocoproxy", "intrusion", "malware", "rudebird", "phantomnet", "ccoredoor", "eagerbee", "lateral movement", "impersoni-fake-ator", "nupakage" ], "references": [ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1248-alpha.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1870_bravo.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_stac1305_charlie.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_prior_intrusions.csv", "https://raw.githubusercontent.com/sophoslabs/IoCs/master/crimson_palace_post-08-2023.csv" ], "public": 1, "adversary": "Chinese state actors", "targeted_countries": [], "malware_families": [ { "id": "NUPAKAGE", "display_name": "NUPAKAGE", "target": null }, { "id": "EAGERBEE", "display_name": "EAGERBEE", "target": null }, { "id": "CCoreDoor", "display_name": "CCoreDoor", "target": null }, { "id": "PhantomNet", "display_name": "PhantomNet", "target": null }, { "id": "PowHeartBeat", "display_name": "PowHeartBeat", "target": null }, { "id": "RUDEBIRD", "display_name": "RUDEBIRD", "target": null }, { "id": "Impersoni-Fake-Ator", "display_name": "Impersoni-Fake-Ator", "target": null }, { "id": "PocoProxy", "display_name": "PocoProxy", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 372, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 8, "hostname": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 82 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 386953, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6661770ce7c47df731b164b7", "name": "Operation Crimson Palace: A Technical Deep Dive - Sophos News", "description": "This is the full report from Sophos Labs on the Chinese government cyberespionage campaign, Operation Crimson Palace, which was carried out in Southeast Asia in late 2022 and is now being investigated by CrowdStrike.", "modified": "2024-07-06T08:03:26.984000", "created": "2024-06-06T08:45:00.691000", "tags": [ "cluster charlie", "march", "cluster alpha", "sophos mdr", "sophos", "sophos labs", "ccoredoor", "pocoproxy", "cluster bravo", "defense evasion", "june", "august", "april", "powershell", "agent", "alpha", "psexec", "cobalt strike", "later", "explorer", "smanager", "info", "code", "drweb", "dump", "lsass", "malware", "virustotal", "loader", "sessionenv", "ator", "phantomnet", "cobalt beacon", "powheartbeat", "eagerbee" ], "references": [ "https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SessionEnv", "display_name": "SessionEnv", "target": null }, { "id": "Ator", "display_name": "Ator", "target": null }, { "id": "PhantomNet", "display_name": "PhantomNet", "target": null }, { "id": "CCoreDoor", "display_name": "CCoreDoor", "target": null }, { "id": "Cobalt Beacon", "display_name": "Cobalt Beacon", "target": null }, { "id": "Sophos", "display_name": "Sophos", "target": null }, { "id": "PocoProxy", "display_name": "PocoProxy", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "PowHeartBeat", "display_name": "PowHeartBeat", "target": null }, { "id": "EAGERBEE", "display_name": "EAGERBEE", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4, "hostname": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cloud.keepasses.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cloud.keepasses.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780430905.3362684 }