{ "type": "URL", "indicator": "https://cv.cbrw.ru/t.csproj", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cv.cbrw.ru/t.csproj", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4078458862, "indicator": "https://cv.cbrw.ru/t.csproj", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6856481e91561162ea5e10a6", "name": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication.", "description": "Proofpoint has recently identified a new variant of stealer malware known as Amatera Stealer, which is a rebranded version of ACR Stealer. Amatera Stealer is being marketed as malware-as-a-service (MaaS) and has been designed with enhanced features and sophistication, including improved anti-analysis capabilities. The malware is delivered through intricate web injects and unusual attack chains, significantly overlapping in code with its predecessor, ACR Stealer. Notably, recent versions have moved away from using Steam and Telegram for command and control (C2) functions.", "modified": "2025-07-21T00:04:47.952000", "created": "2025-06-21T05:50:22.584000", "tags": [ "amatera stealer", "proofpoint", "acr stealer", "powershell", "clearfake", "ntsockets", "maas", "windows", "ip address", "cloudflare", "telegram", "lumma stealer", "stealer", "april", "rhadamanthys", "june", "virustotal", "dword", "steam", "grmsk", "lumma", "clickfix", "acr", "amatera" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GrMsk", "display_name": "GrMsk", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Government", "Higher Education" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 5, "hostname": 3, "URL": 22 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6858ff795837878f7f4652db", "name": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication", "description": "Proofpoint has identified Amatera Stealer, a new variant of the ACR Stealer, rebranded and marketed as malware-as-a-service (MaaS) with advanced features and sophisticated anti-analysis capabilities. This malware enhances its stealth by employing NTSockets for communication with its command and control server and utilizes complex HTTP requests that avoid traditional DNS resolution. Amatera Stealer is distributed through ClearFake, which injects malicious scripts into legitimate sites, using techniques such as EtherHiding and ClickFix to deceive users and extract sensitive information from web browsers, cryptocurrency wallets, and messaging applications while evading detection. The overarching development of Amatera Stealer highlights a significant evolution in the threat landscape posed by information stealers, particularly amid increased competition from other malware solutions.", "modified": "2025-06-23T07:17:13.654000", "created": "2025-06-23T07:17:13.654000", "tags": [ "amatera stealer", "proofpoint", "acr stealer", "powershell", "clearfake", "ntsockets", "maas", "windows", "ip address", "cloudflare", "telegram", "lumma stealer", "stealer", "april", "rhadamanthys", "june", "virustotal", "dword", "steam", "grmsk", "lumma", "clickfix", "acr", "amatera" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GrMsk", "display_name": "GrMsk", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Government", "Higher Education" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 5, "hostname": 3, "URL": 21 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication", "Aug-Week2.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Acr", "Amatera", "Clearfake", "Lumma", "Grmsk", "Clickfix" ], "industries": [ "Government", "Higher education" ], "unique_indicators": 1037 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cbrw.ru", "whois": "http://whois.domaintools.com/cbrw.ru", "domain": "cbrw.ru", "hostname": "cv.cbrw.ru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6856481e91561162ea5e10a6", "name": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication.", "description": "Proofpoint has recently identified a new variant of stealer malware known as Amatera Stealer, which is a rebranded version of ACR Stealer. Amatera Stealer is being marketed as malware-as-a-service (MaaS) and has been designed with enhanced features and sophistication, including improved anti-analysis capabilities. The malware is delivered through intricate web injects and unusual attack chains, significantly overlapping in code with its predecessor, ACR Stealer. Notably, recent versions have moved away from using Steam and Telegram for command and control (C2) functions.", "modified": "2025-07-21T00:04:47.952000", "created": "2025-06-21T05:50:22.584000", "tags": [ "amatera stealer", "proofpoint", "acr stealer", "powershell", "clearfake", "ntsockets", "maas", "windows", "ip address", "cloudflare", "telegram", "lumma stealer", "stealer", "april", "rhadamanthys", "june", "virustotal", "dword", "steam", "grmsk", "lumma", "clickfix", "acr", "amatera" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GrMsk", "display_name": "GrMsk", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Government", "Higher Education" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 5, "hostname": 3, "URL": 22 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "316 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6858ff795837878f7f4652db", "name": "Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication", "description": "Proofpoint has identified Amatera Stealer, a new variant of the ACR Stealer, rebranded and marketed as malware-as-a-service (MaaS) with advanced features and sophisticated anti-analysis capabilities. This malware enhances its stealth by employing NTSockets for communication with its command and control server and utilizes complex HTTP requests that avoid traditional DNS resolution. Amatera Stealer is distributed through ClearFake, which injects malicious scripts into legitimate sites, using techniques such as EtherHiding and ClickFix to deceive users and extract sensitive information from web browsers, cryptocurrency wallets, and messaging applications while evading detection. The overarching development of Amatera Stealer highlights a significant evolution in the threat landscape posed by information stealers, particularly amid increased competition from other malware solutions.", "modified": "2025-06-23T07:17:13.654000", "created": "2025-06-23T07:17:13.654000", "tags": [ "amatera stealer", "proofpoint", "acr stealer", "powershell", "clearfake", "ntsockets", "maas", "windows", "ip address", "cloudflare", "telegram", "lumma stealer", "stealer", "april", "rhadamanthys", "june", "virustotal", "dword", "steam", "grmsk", "lumma", "clickfix", "acr", "amatera" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GrMsk", "display_name": "GrMsk", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "ACR", "display_name": "ACR", "target": null }, { "id": "Amatera", "display_name": "Amatera", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Government", "Higher Education" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 5, "hostname": 3, "URL": 21 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cv.cbrw.ru/t.csproj", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cv.cbrw.ru/t.csproj", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780398556.9615386 }