{ "type": "URL", "indicator": "https://eventhub.header.process.name", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://eventhub.header.process.name", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4073327935, "indicator": "https://eventhub.header.process.name", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "685504a184b712521ffeb975", "name": "Threat Advisory: LightPerlGirl Malware", "description": "The malware campaign centered around a threat actor utilizing a fake CAPTCHA popup dubbed ClickFix, which deceives users into executing malicious PowerShell commands. This initial compromise occurs when a user visits a compromised WordPress site that serves a JavaScript payload, mimicking a legitimate security check. The malicious dialog prompts the user to engage with a PowerShell command, which is obfuscated to evade detection. This command reaches out to a command-and-control (C2) server at cmbkz8kz1000108k2carjewzf.info and initiates a multi-stage infection process.", "modified": "2025-07-20T06:03:58.975000", "created": "2025-06-20T06:50:09.809000", "tags": [ "todyl", "strong", "powershell", "c2 server", "urex", "exwpl", "helpio", "lightperlgirl", "runas", "ascii", "execution", "next", "info", "attack", "defender", "path", "main", "never", "hunt", "contact" ], "references": [ "https://www.todyl.com/blog/threat-advisory-lightperlgirl-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LightPerlGirl", "display_name": "LightPerlGirl", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.012", "name": "Verclsid", "display_name": "T1218.012 - Verclsid" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "URL": 25, "domain": 3, "hostname": 8 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684124ef2e8badb3e5395e43", "name": "Windows Defender Exclusions Added via PowerShell | Detection Rules Overview", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.", "modified": "2025-06-05T05:02:39.006000", "created": "2025-06-05T05:02:39.006000", "tags": [ "logstash", "create", "kubernetes", "kibana", "elastic agent", "system", "google cloud", "filebeat", "elasticsearch", "agent", "error", "span", "project", "general", "powershell", "upgrade", "apache", "cloud", "curator", "icmp", "service", "monitoring", "install", "prometheus", "watcher", "date", "rest", "scroll", "hosts", "collector", "local", "benchmark", "graphite", "legacy", "tips", "codec", "defender", "spaces", "korean", "frozen", "score", "observer", "multi", "matrix", "trickbot", "virustotal", "false", "stop", "stack", "ms windows", "intel", "pe32", "pe32 executable" ], "references": [ "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 17, "URL": 29, "FileHash-SHA256": 161, "FileHash-MD5": 107, "FileHash-SHA1": 105 }, "indicator_count": 423, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "360 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", "https://www.todyl.com/blog/threat-advisory-lightperlgirl-malware" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Lightperlgirl" ], "industries": [], "unique_indicators": 439 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/process.name", "whois": "http://whois.domaintools.com/process.name", "domain": "process.name", "hostname": "eventhub.header.process.name" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "685504a184b712521ffeb975", "name": "Threat Advisory: LightPerlGirl Malware", "description": "The malware campaign centered around a threat actor utilizing a fake CAPTCHA popup dubbed ClickFix, which deceives users into executing malicious PowerShell commands. This initial compromise occurs when a user visits a compromised WordPress site that serves a JavaScript payload, mimicking a legitimate security check. The malicious dialog prompts the user to engage with a PowerShell command, which is obfuscated to evade detection. This command reaches out to a command-and-control (C2) server at cmbkz8kz1000108k2carjewzf.info and initiates a multi-stage infection process.", "modified": "2025-07-20T06:03:58.975000", "created": "2025-06-20T06:50:09.809000", "tags": [ "todyl", "strong", "powershell", "c2 server", "urex", "exwpl", "helpio", "lightperlgirl", "runas", "ascii", "execution", "next", "info", "attack", "defender", "path", "main", "never", "hunt", "contact" ], "references": [ "https://www.todyl.com/blog/threat-advisory-lightperlgirl-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LightPerlGirl", "display_name": "LightPerlGirl", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.012", "name": "Verclsid", "display_name": "T1218.012 - Verclsid" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "URL": 25, "domain": 3, "hostname": 8 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "315 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684124ef2e8badb3e5395e43", "name": "Windows Defender Exclusions Added via PowerShell | Detection Rules Overview", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.", "modified": "2025-06-05T05:02:39.006000", "created": "2025-06-05T05:02:39.006000", "tags": [ "logstash", "create", "kubernetes", "kibana", "elastic agent", "system", "google cloud", "filebeat", "elasticsearch", "agent", "error", "span", "project", "general", "powershell", "upgrade", "apache", "cloud", "curator", "icmp", "service", "monitoring", "install", "prometheus", "watcher", "date", "rest", "scroll", "hosts", "collector", "local", "benchmark", "graphite", "legacy", "tips", "codec", "defender", "spaces", "korean", "frozen", "score", "observer", "multi", "matrix", "trickbot", "virustotal", "false", "stop", "stack", "ms windows", "intel", "pe32", "pe32 executable" ], "references": [ "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 17, "URL": 29, "FileHash-SHA256": 161, "FileHash-MD5": 107, "FileHash-SHA1": 105 }, "indicator_count": 423, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "360 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://eventhub.header.process.name", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://eventhub.header.process.name", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780265672.4923508 }