{ "type": "URL", "indicator": "https://db.17kp.xyz/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://db.17kp.xyz/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4071502257, "indicator": "https://db.17kp.xyz/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6837b630eb12914d48040cb6", "name": "Pumabot: Novel Botnet Targeting IoT Surveillance Devices", "description": "Darktrace researchers have identified Pumabot, a new botnet actively compromising IoT surveillance devices (e.g., cameras, DVRs). The malware propagates via worm-like capabilities, brute-forcing weak credentials, and exploiting unpatched vulnerabilities. Once infected, devices execute malicious commands, exfiltrate sensitive data, and enable attackers to hijack surveillance systems for lateral movement. Pumabot\u2019s modular design suggests ongoing evolution, posing significant risks to corporate networks using IoT security infrastructure.", "modified": "2025-06-28T01:05:20.892000", "created": "2025-05-29T01:19:43.993000", "tags": [ "c2 server", "linux", "pam file", "pumabot", "ip address", "pumatronix", "http", "linux botnet", "linux internet", "things", "service", "install", "path", "json", "ddaemon" ], "references": [ "https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ddaemon", "display_name": "Ddaemon", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1538", "name": "Cloud Service Dashboard", "display_name": "T1538 - Cloud Service Dashboard" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 18, "YARA": 1, "domain": 2, "email": 1, "hostname": 6 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68404f3dba526ec7d34ae145", "name": "PumaBot: Novel Botnet Targeting IoT Surveillance Devices", "description": "Darktrace has been named the world's leading provider of advanced network detection and response (SOC) for the next five years, with a global presence of more than 1.5 million customers.", "modified": "2025-06-04T13:50:53.463000", "created": "2025-06-04T13:50:53.463000", "tags": [ "c2 server", "linux", "pam file", "pumabot", "ip address", "pumatronix", "http", "linux botnet", "linux internet", "things", "service", "install", "path", "json", "ddaemon" ], "references": [ "https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "Ddaemon", "display_name": "Ddaemon", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "hostname": 6, "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "YARA": 1, "domain": 2, "email": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "361 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6837b18146c64e0ab478a4fc", "name": "PumaBot Botnet Targets Linux IoT for SSH Theft and Crypto Mining", "description": "", "modified": "2025-05-29T00:59:45.880000", "created": "2025-05-29T00:59:45.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 10, "hostname": 5 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Ddaemon", "Linux", "Json" ], "industries": [], "unique_indicators": 51 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/17kp.xyz", "whois": "http://whois.domaintools.com/17kp.xyz", "domain": "17kp.xyz", "hostname": "db.17kp.xyz" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6837b630eb12914d48040cb6", "name": "Pumabot: Novel Botnet Targeting IoT Surveillance Devices", "description": "Darktrace researchers have identified Pumabot, a new botnet actively compromising IoT surveillance devices (e.g., cameras, DVRs). The malware propagates via worm-like capabilities, brute-forcing weak credentials, and exploiting unpatched vulnerabilities. Once infected, devices execute malicious commands, exfiltrate sensitive data, and enable attackers to hijack surveillance systems for lateral movement. Pumabot\u2019s modular design suggests ongoing evolution, posing significant risks to corporate networks using IoT security infrastructure.", "modified": "2025-06-28T01:05:20.892000", "created": "2025-05-29T01:19:43.993000", "tags": [ "c2 server", "linux", "pam file", "pumabot", "ip address", "pumatronix", "http", "linux botnet", "linux internet", "things", "service", "install", "path", "json", "ddaemon" ], "references": [ "https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ddaemon", "display_name": "Ddaemon", "target": null } ], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1538", "name": "Cloud Service Dashboard", "display_name": "T1538 - Cloud Service Dashboard" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 18, "YARA": 1, "domain": 2, "email": 1, "hostname": 6 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "338 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68404f3dba526ec7d34ae145", "name": "PumaBot: Novel Botnet Targeting IoT Surveillance Devices", "description": "Darktrace has been named the world's leading provider of advanced network detection and response (SOC) for the next five years, with a global presence of more than 1.5 million customers.", "modified": "2025-06-04T13:50:53.463000", "created": "2025-06-04T13:50:53.463000", "tags": [ "c2 server", "linux", "pam file", "pumabot", "ip address", "pumatronix", "http", "linux botnet", "linux internet", "things", "service", "install", "path", "json", "ddaemon" ], "references": [ "https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "Ddaemon", "display_name": "Ddaemon", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "hostname": 6, "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "YARA": 1, "domain": 2, "email": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "361 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6837b18146c64e0ab478a4fc", "name": "PumaBot Botnet Targets Linux IoT for SSH Theft and Crypto Mining", "description": "", "modified": "2025-05-29T00:59:45.880000", "created": "2025-05-29T00:59:45.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 10, "hostname": 5 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://db.17kp.xyz/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://db.17kp.xyz/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780283646.526192 }