{ "type": "URL", "indicator": "https://cognimuse.cs.ntua.gr/search.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cognimuse.cs.ntua.gr/search.php", "type": "url", "type_title": "URL", "validation": [ { "source": "majestic", "message": "Whitelisted domain ntua.gr", "name": "Whitelisted domain" } ], "base_indicator": { "id": 13147, "indicator": "https://cognimuse.cs.ntua.gr/search.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "related": { "alienvault": { "adversary": [ "APT 29" ], "malware_families": [], "industries": [], "unique_indicators": 44 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Defense", "Government", "Industrial" ], "unique_indicators": 1149778 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ntua.gr", "whois": "http://whois.domaintools.com/ntua.gr", "domain": "ntua.gr", "hostname": "cognimuse.cs.ntua.gr" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cognimuse.cs.ntua.gr/search.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cognimuse.cs.ntua.gr/search.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170405.0818408 }