{ "type": "URL", "indicator": "https://deepseek.exploreio.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://deepseek.exploreio.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4040570673, "indicator": "https://deepseek.exploreio.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "67c148f5d64d299fa4a97670", "name": "Your MFA Is No Match for Sneaky2FA", "description": "In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.", "modified": "2025-03-30T05:00:33.922000", "created": "2025-02-28T05:26:13.622000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 387026, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c67983886e527af342a579", "name": "Your MFA Is No Match for Sneaky2FA", "description": "", "modified": "2025-03-30T05:00:33.922000", "created": "2025-03-04T03:54:43.759000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "67c148f5d64d299fa4a97670", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bde372858d6c9980212ae6", "name": "Fake DeepSeek Site Infects Mac Users with Poseidon Stealer", "description": "Adversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.", "modified": "2025-03-27T15:03:40.001000", "created": "2025-02-25T15:36:18.832000", "tags": [ "path", "button", "span", "link", "script", "template", "amos", "quot", "cfile", "github", "form", "footer", "code", "atomic", "meta", "stealer", "asyncrat", "terminal", "reload", "find", "close", "autoit", "icedid", "lazarus", "venomrat", "webdav", "solarmarker", "exodus", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "media", "main", "contact" ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 14, "URL": 4, "domain": 7, "hostname": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sneaky2fa" ], "industries": [], "unique_indicators": 17 }, "other": { "adversary": [], "malware_families": [ "Sneaky2fa" ], "industries": [], "unique_indicators": 39 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/exploreio.net", "whois": "http://whois.domaintools.com/exploreio.net", "domain": "exploreio.net", "hostname": "deepseek.exploreio.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "67c148f5d64d299fa4a97670", "name": "Your MFA Is No Match for Sneaky2FA", "description": "In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.", "modified": "2025-03-30T05:00:33.922000", "created": "2025-02-28T05:26:13.622000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 387026, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c67983886e527af342a579", "name": "Your MFA Is No Match for Sneaky2FA", "description": "", "modified": "2025-03-30T05:00:33.922000", "created": "2025-03-04T03:54:43.759000", "tags": [ "phaas", "session cookies", "2fa bypass", "office 365", "phishing", "sneaky2fa" ], "references": [ "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sneaky2FA", "display_name": "Sneaky2FA", "target": null } ], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "67c148f5d64d299fa4a97670", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 4, "domain": 12, "hostname": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "430 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67bde372858d6c9980212ae6", "name": "Fake DeepSeek Site Infects Mac Users with Poseidon Stealer", "description": "Adversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.", "modified": "2025-03-27T15:03:40.001000", "created": "2025-02-25T15:36:18.832000", "tags": [ "path", "button", "span", "link", "script", "template", "amos", "quot", "cfile", "github", "form", "footer", "code", "atomic", "meta", "stealer", "asyncrat", "terminal", "reload", "find", "close", "autoit", "icedid", "lazarus", "venomrat", "webdav", "solarmarker", "exodus", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "media", "main", "contact" ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 14, "URL": 4, "domain": 7, "hostname": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://deepseek.exploreio.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://deepseek.exploreio.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780469507.080141 }