{ "type": "URL", "indicator": "https://ddy.alipico.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ddy.alipico.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4183655870, "indicator": "https://ddy.alipico.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e7c9d9f8a02bb2372aaf", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:15:21.240000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e8d88f2f4959a8114d9b", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:19:52.822000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972ea172ec6ec5d5a2be6e1", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:25:11.086000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e00c8e5bb1e72dd3d841", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T02:03:12.743000", "created": "2026-01-23T02:42:20.600000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972ca5321e1af5a640b05ed", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T01:04:54.087000", "created": "2026-01-23T01:09:39.883000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69727864c7c15bf4a5e942a7", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 26 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T19:04:39.636000", "created": "2026-01-22T19:20:04.303000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "FileHash-MD5": 18, "URL": 71, "hostname": 48, "FileHash-SHA256": 1 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69727f6d3237a0506236fc50", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 26 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T19:04:39.636000", "created": "2026-01-22T19:50:05.396000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "FileHash-MD5": 18, "URL": 71, "hostname": 48, "FileHash-SHA256": 1 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69726a531873a67866759aa7", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T18:01:16.981000", "created": "2026-01-22T18:20:03.695000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 71, "hostname": 48, "domain": 36, "FileHash-MD5": 18, "FileHash-SHA256": 1 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69725c428595e7794055295d", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(102), Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(35). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:20:02.268000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "URL": 69, "domain": 37, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69725fe082e1bf920a9f111c", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:35:28.108000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69726166a812a8564dc6ecb4", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:41:58.199000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697261f7d3b3e4510dbe8e1b", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(35), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:44:23.781000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69726263a6a09290a69a05b0", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:46:11.599000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697262b0461d77d7840dfac8", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(35), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:47:28.531000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697262d8265125246ed8c484", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:48:08.733000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69726326c7fdd7bbfe836e16", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:49:26.303000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972634eba2ecba33ea55ba7", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:50:06.629000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972636928a7fbb88bfe8de7", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:50:33.699000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697263ca04c2057456e7657a", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:52:10.460000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697263fdc4133f31df7683be", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:53:01.158000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972644a71595704d7046c6c", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 29 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:54:18.154000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697264e06f628b58f8a65911", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-22", "description": "Automated ThreatFox hunt for Vidar indicators. 63 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:56:48.591000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972652973f351c64e583597", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 11 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T17:03:56.860000", "created": "2026-01-22T17:58:01.862000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 39, "FileHash-MD5": 18, "URL": 69, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697255409aafd5293bd04121", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(102), Unknown malware(92), Meterpreter(79), Nitrogen Ransomware(36), Vidar(35). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T16:04:38.546000", "created": "2026-01-22T16:50:08.090000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "URL": 69, "domain": 37, "hostname": 47, "FileHash-SHA256": 1 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69724025191082298017cb0a", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(25), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T15:01:19.251000", "created": "2026-01-22T15:20:05.939000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 21, "URL": 64, "domain": 14, "FileHash-SHA256": 1 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972472cee0f93a274483cc2", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(102), Meterpreter(73), Unknown malware(64), Nitrogen Ransomware(36), Vidar(35). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T15:01:19.251000", "created": "2026-01-22T15:50:04.750000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "domain": 39, "hostname": 24, "URL": 74, "FileHash-SHA256": 1 }, "indicator_count": 149, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69723217e03a1ed95119207c", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T14:05:04.370000", "created": "2026-01-22T14:20:07.188000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 64, "domain": 14, "hostname": 19, "FileHash-SHA256": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972391dd01fa59fa1d95d01", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T14:05:04.370000", "created": "2026-01-22T14:50:05.614000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 64, "domain": 14, "hostname": 19, "FileHash-SHA256": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697224021c465a540fd4078d", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T13:03:41.558000", "created": "2026-01-22T13:20:02.201000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 64, "domain": 14, "hostname": 19, "FileHash-SHA256": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69722b0ca81207c90b31779e", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T13:03:41.558000", "created": "2026-01-22T13:50:04.763000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 64, "domain": 14, "hostname": 19, "FileHash-SHA256": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697215f65782799a98ea5a86", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(102), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T12:01:04.985000", "created": "2026-01-22T12:20:06.946000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "hostname": 22, "URL": 20, "FileHash-SHA256": 1 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69721cfcac43e59a6b4d10db", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Meterpreter/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(103), Meterpreter(73), Unknown malware(69), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T12:01:04.985000", "created": "2026-01-22T12:50:04.679000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "meterpreter", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 16, "hostname": 22, "URL": 20, "FileHash-SHA256": 1 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697207e762fbfa82ef1f5fdd", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(93), Unknown malware(69), Meterpreter(57), Cobalt Strike(25), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T11:00:35.105000", "created": "2026-01-22T11:20:07.177000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "hostname": 15, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69720eed6560b811623328f7", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(93), Unknown malware(69), Meterpreter(57), Cobalt Strike(25), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T11:00:35.105000", "created": "2026-01-22T11:50:05.798000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "URL": 44, "hostname": 15, "FileHash-SHA256": 1 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971ebc26ef080251af7573a", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(93), Unknown malware(71), Meterpreter(57), Vidar(34), Cobalt Strike(24). Source: abuse.ch ThreatFox API. SSL enriched: 45 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:20:02.829000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 14, "URL": 51, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971f2ca27d18712bf9981b5", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(93), Unknown malware(71), Meterpreter(57), Cobalt Strike(24), Vidar(17). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 12 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:50:02.829000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 57, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971ddba331f8ff8b174aaec", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(97), Unknown malware(71), Meterpreter(57), Vidar(34), Cobalt Strike(25). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T08:04:07.206000", "created": "2026-01-22T08:20:10.561000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 52, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971e4bc122d33ae8a5d8dc9", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(97), Unknown malware(71), Meterpreter(57), Vidar(34), Cobalt Strike(24). Source: abuse.ch ThreatFox API. SSL enriched: 41 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T08:04:07.206000", "created": "2026-01-22T08:50:04.766000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 15, "URL": 52, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971cfa596012b4757a19225", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(97), Unknown malware(72), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T07:03:24.259000", "created": "2026-01-22T07:20:05.916000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 53, "FileHash-SHA256": 1, "domain": 22 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971d6aca0cd735f1a90c617", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(97), Unknown malware(72), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 19 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T07:03:24.259000", "created": "2026-01-22T07:50:04.121000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 53, "FileHash-SHA256": 1, "domain": 22 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971c19514f2126902d9415b", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(74), Meterpreter(43), Vidar(34), Remcos(19). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T06:00:02.418000", "created": "2026-01-22T06:20:05.533000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 29, "URL": 53, "FileHash-SHA256": 1, "domain": 22 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971b385a87a4dcf5e04ab8a", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(75), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T05:04:48.327000", "created": "2026-01-22T05:20:05.464000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 53, "FileHash-SHA256": 1, "domain": 24 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971ba8d303c4487c9ce1d8d", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(74), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T05:04:48.327000", "created": "2026-01-22T05:50:04.926000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 53, "FileHash-SHA256": 1, "domain": 24 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971a574920df14df8b7bd96", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(75), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T04:01:27.753000", "created": "2026-01-22T04:20:04.257000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "URL": 53, "FileHash-SHA256": 1, "domain": 25 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6971ac7a4832cb9f191a9748", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(75), Meterpreter(43), Vidar(34), Cobalt Strike(19). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T04:01:27.753000", "created": "2026-01-22T04:50:02.759000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "URL": 53, "FileHash-SHA256": 1, "domain": 25 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697197624dcc94778341f4a4", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(75), Vidar(34), Meterpreter(28), Cobalt Strike(21). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T03:02:15.727000", "created": "2026-01-22T03:20:02.109000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 43, "URL": 53, "FileHash-SHA256": 1, "domain": 33 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69719e6cf31d8596019078fb", "name": "OSINT Volley 2026-01-22 - Unknown Stealer/Unknown malware/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(99), Unknown malware(75), Vidar(34), Meterpreter(28), Cobalt Strike(21). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T03:02:15.727000", "created": "2026-01-22T03:50:04.383000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 43, "URL": 53, "FileHash-SHA256": 1, "domain": 33 }, "indicator_count": 130, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "102 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Unknown stealer", "Qilin", "Ransomhub", "Unknown malware", "Vidar", "Meterpreter", "Remcos", "Cobalt strike", "Nitrogen ransomware" ], "industries": [], "unique_indicators": 4849 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/alipico.com", "whois": "http://whois.domaintools.com/alipico.com", "domain": "alipico.com", "hostname": "ddy.alipico.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6996ef256528000ea157373e", "name": "ThreatFix_URL_262", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-03-21T11:34:25.575000", "created": "2026-02-19T11:08:21.110000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qilin", "display_name": "Qilin", "target": null }, { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA256": 1, "URL": 1197, "domain": 314, "hostname": 284 }, "indicator_count": 1806, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69660e4e2abebabebf02224c", "name": "ThreatFix_URL", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:20:12.942000", "tags": [ "feed", "window", "rah623925" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2280, "FileHash-MD5": 22, "domain": 618, "hostname": 520 }, "indicator_count": 3440, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "97 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e7c9d9f8a02bb2372aaf", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:15:21.240000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e8d88f2f4959a8114d9b", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:19:52.822000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972ea172ec6ec5d5a2be6e1", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T03:03:29.038000", "created": "2026-01-23T03:25:11.086000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972e00c8e5bb1e72dd3d841", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T02:03:12.743000", "created": "2026-01-23T02:42:20.600000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6972ca5321e1af5a640b05ed", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-23", "description": "Automated ThreatFox hunt for Vidar indicators. 72 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-22T01:04:54.087000", "created": "2026-01-23T01:09:39.883000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "hostname": 17, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69727864c7c15bf4a5e942a7", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 26 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T19:04:39.636000", "created": "2026-01-22T19:20:04.303000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "FileHash-MD5": 18, "URL": 71, "hostname": 48, "FileHash-SHA256": 1 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69727f6d3237a0506236fc50", "name": "OSINT Volley 2026-01-22 - Unknown malware/Meterpreter/Nitrogen Ransomware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(95), Meterpreter(79), Nitrogen Ransomware(36), Vidar(31), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 26 IPs with HTTPS, 9 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-21T19:04:39.636000", "created": "2026-01-22T19:50:05.396000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "meterpreter", "nitrogen-ransomware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "FileHash-MD5": 18, "URL": 71, "hostname": 48, "FileHash-SHA256": 1 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ddy.alipico.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ddy.alipico.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780474496.2293627 }