{ "type": "URL", "indicator": "https://cutlink.now/ChaIIan-82", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cutlink.now/ChaIIan-82", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4140271654, "indicator": "https://cutlink.now/ChaIIan-82", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f1f820805dcbddb689ed90", "name": "GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware.", "description": "The resurgence of Android malware campaigns disguised as Indian RTO (Regional Transport Office) applications has been documented by Cyble Research and Intelligence Labs (CRIL). These campaigns aim to compromise sensitive information of users in India, utilizing various distribution methods such as WhatsApp, SMS containing shortened URLs, GitHub-hosted APKs, and compromised websites, which highlight the multiple vectors of infection used by threat actors.", "modified": "2025-10-17T08:02:40.679000", "created": "2025-10-17T08:02:40.679000", "tags": [ "figure", "malware", "telegram bot", "opens", "android malware", "whatsapp", "urls", "ghostbat rat", "cril", "ghostbatratbot", "malicious", "virustotal", "download", "phishing", "click", "facebook" ], "references": [ "https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1575", "name": "Native Code", "display_name": "T1575 - Native Code" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 6, "domain": 5, "hostname": 1 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "227 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efede9f2c00c34039b26fd", "name": "GhostBat RAT Disguised as Fake RTO Apps to Steal Banking Credentials", "description": "", "modified": "2025-10-15T18:54:33.777000", "created": "2025-10-15T18:54:33.777000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "229 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Oct week.3.pdf", "https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor" ], "malware_families": [], "industries": [], "unique_indicators": 776 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cutlink.now", "whois": "http://whois.domaintools.com/cutlink.now", "domain": "cutlink.now", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f1f820805dcbddb689ed90", "name": "GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware.", "description": "The resurgence of Android malware campaigns disguised as Indian RTO (Regional Transport Office) applications has been documented by Cyble Research and Intelligence Labs (CRIL). These campaigns aim to compromise sensitive information of users in India, utilizing various distribution methods such as WhatsApp, SMS containing shortened URLs, GitHub-hosted APKs, and compromised websites, which highlight the multiple vectors of infection used by threat actors.", "modified": "2025-10-17T08:02:40.679000", "created": "2025-10-17T08:02:40.679000", "tags": [ "figure", "malware", "telegram bot", "opens", "android malware", "whatsapp", "urls", "ghostbat rat", "cril", "ghostbatratbot", "malicious", "virustotal", "download", "phishing", "click", "facebook" ], "references": [ "https://cyble.com/blog/ghostbat-rat-inside-the-resurgence-of-rto-themed-android-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1575", "name": "Native Code", "display_name": "T1575 - Native Code" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 6, "domain": 5, "hostname": 1 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "227 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68efede9f2c00c34039b26fd", "name": "GhostBat RAT Disguised as Fake RTO Apps to Steal Banking Credentials", "description": "", "modified": "2025-10-15T18:54:33.777000", "created": "2025-10-15T18:54:33.777000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "229 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cutlink.now/ChaIIan-82", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cutlink.now/ChaIIan-82", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780360531.9770029 }