{ "type": "URL", "indicator": "https://extensions.shopifycdn.com/cdn/shopifycloud/web-pixels-manager", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://extensions.shopifycdn.com/cdn/shopifycloud/web-pixels-manager", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #2580", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain shopifycdn.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4135072609, "indicator": "https://extensions.shopifycdn.com/cdn/shopifycloud/web-pixels-manager", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a147a0bf4e914672a802773", "name": "forever-canadian[.]ca - 05.25.26", "description": "This is a grassroots political advocacy initiative focused on keeping Alberta in Canada, driven by Lukaszuk and volunteers in response to separatist sentiments in the province. Curiously, it appears they have fallen victim to #Cybercrime. Status of Website: Hacked. Participant Data: Active Distribution (i.e. Data in active use by Cybercriminals). Safety of visiting website: unknown (verdict by HA = Malicious).", "modified": "2026-05-25T16:46:06.153000", "created": "2026-05-25T16:34:19.519000", "tags": [ "entity", "geoip", "as13335", "cloudflarenet", "cloudflare", "as16509", "amazon02", "vercel geoip", "google llc", "as396982", "facebook", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "please", "javascript", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "temp", "ansi", "translate", "downloadbubble", "webbluetooth", "passkeyauth", "fencedframes", "fledge", "pcap processing", "pcap", "win64", "date", "null", "accept", "path", "suspicious", "comspec", "cookie", "mozilla", "hybrid", "defense evasion", "close", "model", "click", "hosts", "patch", "over", "general", "encrypt", "level", "wind", "window", "strings", "contact", "url", "website", "web", "scanner", "analyze", "analyzer", "search", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login" ], "references": [ "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://urlscan.io/search", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 94, "URL": 397, "domain": 34, "hostname": 59, "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 5, "SSLCertFingerprint": 11, "email": 4 }, "indicator_count": 627, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d62e5e038c036204e489ba", "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |", "description": "DiabloFans.com redirects to curse.llc a shopify storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C", "modified": "2025-10-26T05:01:11.780000", "created": "2025-09-26T06:10:38.550000", "tags": [ "handle", "entity", "host name", "rdap database", "iana registrar", "roles", "dnssec", "links", "namecheap", "namecheap inc", "script urls", "united", "unknown ns", "moved", "script domains", "passive dns", "ip address", "body", "gmt content", "type", "title", "date", "meta", "request", "get updates", "common upatre", "p2p zeus", "common header", "struct", "downloader", "exe download", "terse", "regsetvalueexa", "execution", "dock", "write", "next", "win32", "persistence", "malware", "copy", "unknown", "canada unknown", "alfper", "entries", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location canada", "twitter", "present sep", "cname", "name servers", "search", "creation date", "canada", "certificate", "trojan", "ontario", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "development att", "href", "show technique", "mitre att", "ck matrix", "script", "network related", "input url", "network traffic", "t1204", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "flag", "canada canada", "strings", "cloudflar", "google", "googlecl", "facebook", "as autonomous", "system", "hetznera", "detail domain", "domain tree", "links domain", "requested", "url https", "general full", "name value", "resource", "asn13335", "cloudflarenet", "hash", "protocol h3", "express", "value", "please", "automatic", "webgl", "september", "variables", "shopify", "shopifypay", "st boolean", "shopifyforms", "raven", "hstr", "next associated", "mtb may", "ipv4 add", "trojanspy", "trojandropper", "span", "path", "button", "circle", "link", "keychains", "choose", "input", "small", "close", "form", "stop", "anime", "kitty", "iframe", "null", "open", "tarot", "footer", "curse", "first", "back", "error", "config", "contact", "signs", "main", "payment", "window" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 236, "FileHash-MD5": 320, "FileHash-SHA1": 314, "FileHash-SHA256": 2288, "URL": 889, "hostname": 361, "SSLCertFingerprint": 1, "email": 2, "CVE": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://urlscan.io/search", "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Government" ], "unique_indicators": 5102 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/shopifycdn.com", "whois": "http://whois.domaintools.com/shopifycdn.com", "domain": "shopifycdn.com", "hostname": "extensions.shopifycdn.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a147a0bf4e914672a802773", "name": "forever-canadian[.]ca - 05.25.26", "description": "This is a grassroots political advocacy initiative focused on keeping Alberta in Canada, driven by Lukaszuk and volunteers in response to separatist sentiments in the province. Curiously, it appears they have fallen victim to #Cybercrime. Status of Website: Hacked. Participant Data: Active Distribution (i.e. Data in active use by Cybercriminals). Safety of visiting website: unknown (verdict by HA = Malicious).", "modified": "2026-05-25T16:46:06.153000", "created": "2026-05-25T16:34:19.519000", "tags": [ "entity", "geoip", "as13335", "cloudflarenet", "cloudflare", "as16509", "amazon02", "vercel geoip", "google llc", "as396982", "facebook", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "please", "javascript", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "temp", "ansi", "translate", "downloadbubble", "webbluetooth", "passkeyauth", "fencedframes", "fledge", "pcap processing", "pcap", "win64", "date", "null", "accept", "path", "suspicious", "comspec", "cookie", "mozilla", "hybrid", "defense evasion", "close", "model", "click", "hosts", "patch", "over", "general", "encrypt", "level", "wind", "window", "strings", "contact", "url", "website", "web", "scanner", "analyze", "analyzer", "search", "search api", "make sure", "domain", "and not", "page", "home search", "live api", "blog docs", "pricing login" ], "references": [ "https://www.virustotal.com/graph/embed/g5467d8748b4f4a739e6f5d84e15a0a36c60806dc093a4a9ba27ed4a08df63187?theme=dark", "https://www.filescan.io/uploads/6a146fa8efbd399b39ccfd7b/reports/3a0b8fe6-3657-400e-9cfa-eead3847b2b6/overview", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/summary", "https://www.virustotal.com/gui/collection/bc6e1feb3491c0f9e455e1f513d44afbbcfce4084e6b506c80a19e54f934adf9/iocs", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987", "https://hybrid-analysis.com/sample/93395b86310fc54df817f2898de3874ff2317dce2f10b95200d1c6f73162e987/6a14751933f72f34d60993b8", "https://urlscan.io/search", "https://viz.greynoise.io/ip/analysis/585ba692-65c8-4295-a308-0914d3378b41" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 94, "URL": 397, "domain": 34, "hostname": 59, "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 5, "SSLCertFingerprint": 11, "email": 4 }, "indicator_count": 627, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d62e5e038c036204e489ba", "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |", "description": "DiabloFans.com redirects to curse.llc a shopify storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C", "modified": "2025-10-26T05:01:11.780000", "created": "2025-09-26T06:10:38.550000", "tags": [ "handle", "entity", "host name", "rdap database", "iana registrar", "roles", "dnssec", "links", "namecheap", "namecheap inc", "script urls", "united", "unknown ns", "moved", "script domains", "passive dns", "ip address", "body", "gmt content", "type", "title", "date", "meta", "request", "get updates", "common upatre", "p2p zeus", "common header", "struct", "downloader", "exe download", "terse", "regsetvalueexa", "execution", "dock", "write", "next", "win32", "persistence", "malware", "copy", "unknown", "canada unknown", "alfper", "entries", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location canada", "twitter", "present sep", "cname", "name servers", "search", "creation date", "canada", "certificate", "trojan", "ontario", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "development att", "href", "show technique", "mitre att", "ck matrix", "script", "network related", "input url", "network traffic", "t1204", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "flag", "canada canada", "strings", "cloudflar", "google", "googlecl", "facebook", "as autonomous", "system", "hetznera", "detail domain", "domain tree", "links domain", "requested", "url https", "general full", "name value", "resource", "asn13335", "cloudflarenet", "hash", "protocol h3", "express", "value", "please", "automatic", "webgl", "september", "variables", "shopify", "shopifypay", "st boolean", "shopifyforms", "raven", "hstr", "next associated", "mtb may", "ipv4 add", "trojanspy", "trojandropper", "span", "path", "button", "circle", "link", "keychains", "choose", "input", "small", "close", "form", "stop", "anime", "kitty", "iframe", "null", "open", "tarot", "footer", "curse", "first", "back", "error", "config", "contact", "signs", "main", "payment", "window" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 236, "FileHash-MD5": 320, "FileHash-SHA1": 314, "FileHash-SHA256": 2288, "URL": 889, "hostname": 361, "SSLCertFingerprint": 1, "email": 2, "CVE": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://extensions.shopifycdn.com/cdn/shopifycloud/web-pixels-manager", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://extensions.shopifycdn.com/cdn/shopifycloud/web-pixels-manager", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780440192.2841172 }