{ "type": "URL", "indicator": "https://dropper.agent.gi", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dropper.agent.gi", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4074886354, "indicator": "https://dropper.agent.gi", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6863c9691aecb6c01963ffa0", "name": "Iranian APT Actors-Pt1", "description": "", "modified": "2025-07-31T11:02:12.428000", "created": "2025-07-01T11:41:28.230000", "tags": [], "references": [ "IOCs2.pdf" ], "public": 1, "adversary": "Yellow Liderc, APT34, Void Manticore", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 129, "FileHash-MD5": 135, "FileHash-SHA1": 139, "FileHash-SHA256": 167, "CVE": 8, "domain": 323, "hostname": 71 }, "indicator_count": 972, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846a993fd84ef827e92ac15", "name": "BladedFeline: Unmasking the Iran-Aligned Cyberespionage Group", "description": "Dive into ESET's comprehensive analysis of BladedFeline, an Iran-aligned APT group with likely ties to OilRig. This report uncovers the group's sophisticated cyberespionage operations targeting Kurdish and Iraqi government officials. Learn about their advanced tools, including the Whisper backdoor and PrimeCache IIS module, and their persistent efforts to maintain access to high-ranking officials.", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:29:55.771000", "tags": [ "strong", "bladedfeline", "whisper", "primecache", "oilrig", "laret", "pinar", "c server", "krg system", "step", "rdat", "virustotal", "olala", "null", "powershell", "lsass", "first", "format", "execution", "lumma stealer", "tips", "plink", "psexec", "danbot", "shark", "milan", "solar", "mango", "mark", "next", "win64", "example", "unknown", "shell", "python", "persistence", "danabot" ], "references": [ "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5, "hostname": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs2.pdf", "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Yellow Liderc, APT34, Void Manticore" ], "malware_families": [], "industries": [], "unique_indicators": 1152 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/agent.gi", "whois": "http://whois.domaintools.com/agent.gi", "domain": "agent.gi", "hostname": "dropper.agent.gi" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6863c9691aecb6c01963ffa0", "name": "Iranian APT Actors-Pt1", "description": "", "modified": "2025-07-31T11:02:12.428000", "created": "2025-07-01T11:41:28.230000", "tags": [], "references": [ "IOCs2.pdf" ], "public": 1, "adversary": "Yellow Liderc, APT34, Void Manticore", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 129, "FileHash-MD5": 135, "FileHash-SHA1": 139, "FileHash-SHA256": 167, "CVE": 8, "domain": 323, "hostname": 71 }, "indicator_count": 972, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846a993fd84ef827e92ac15", "name": "BladedFeline: Unmasking the Iran-Aligned Cyberespionage Group", "description": "Dive into ESET's comprehensive analysis of BladedFeline, an Iran-aligned APT group with likely ties to OilRig. This report uncovers the group's sophisticated cyberespionage operations targeting Kurdish and Iraqi government officials. Learn about their advanced tools, including the Whisper backdoor and PrimeCache IIS module, and their persistent efforts to maintain access to high-ranking officials.", "modified": "2025-07-09T09:00:16.142000", "created": "2025-06-09T09:29:55.771000", "tags": [ "strong", "bladedfeline", "whisper", "primecache", "oilrig", "laret", "pinar", "c server", "krg system", "step", "rdat", "virustotal", "olala", "null", "powershell", "lsass", "first", "format", "execution", "lumma stealer", "tips", "plink", "psexec", "danbot", "shark", "milan", "solar", "mango", "mark", "next", "win64", "example", "unknown", "shell", "python", "persistence", "danabot" ], "references": [ "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5, "hostname": 5 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dropper.agent.gi", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dropper.agent.gi", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780397127.1108382 }