{ "type": "URL", "indicator": "https://file-server.store/update", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://file-server.store/update", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4143515564, "indicator": "https://file-server.store/update", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386816, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69099ae3319099e17ce0969f", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-11-04T06:19:15.728000", "created": "2025-11-04T06:19:15.728000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6901bda4549c558a81dc00a5", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6902e567c252949d8c75e8c1", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-10-30T04:11:19.757000", "created": "2025-10-30T04:11:19.757000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "69003b85c217870cc5794cc6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6901bda4549c558a81dc00a5", "name": "IOC - Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.", "modified": "2025-10-29T07:09:24.634000", "created": "2025-10-29T07:09:24.634000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69010d8cbf528688e76b28a6", "name": "BlueNoroff Targets High Value Victims with New infiltration Methods", "description": "MSTeamsUpdate.sh, Safari update, and other updates are all part of the BBC's Newsround programme, which is broadcast live on BBC One from Monday, 2:00 BST.", "modified": "2025-10-28T18:39:19.476000", "created": "2025-10-28T18:38:04.399000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "216 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/", "OCT.pdf", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842", "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "related": { "alienvault": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Teamsclutch", "Silentsiphon", "Sysphon", "Sneakmain", "Rootroy", "Downtroy", "Zoomclutch", "Cosmicdoor", "Realtimetroy" ], "industries": [ "Technology", "Finance" ], "unique_indicators": 160 }, "other": { "adversary": [ "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "BlueNoroff" ], "malware_families": [ "Teamsclutch", "Silentsiphon", "Sysphon", "Sneakmain", "Rootroy", "Downtroy", "Zoomclutch", "Cosmicdoor", "Realtimetroy" ], "industries": [ "Technology", "Finance" ], "unique_indicators": 873 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/file-server.store", "whois": "http://whois.domaintools.com/file-server.store", "domain": "file-server.store", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69003b85c217870cc5794cc6", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitment processes. Both campaigns utilize various malware chains, including ZoomClutch, DownTroy, CosmicDoor, RooTroy, and SilentSiphon. The attacks involve social engineering, AI-enhanced images, and multi-stage malware deployment across Windows, macOS, and Linux systems. BlueNoroff has expanded its focus beyond cryptocurrency theft to comprehensive data acquisition, enabling supply chain attacks and leveraging established trust relationships for broader impact.", "modified": "2025-10-28T09:30:13.914000", "created": "2025-10-28T03:41:57.869000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 386816, "modified_text": "216 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691473b72eee91d1a6b22b4f", "name": "BlueNoroff Group cryptoaffair: \"ghost\" investments and bogus job offers", "description": "The BlueNoroff Group, known by various aliases including APT38 and TA444, has been actively targeting blockchain developers and Web3 executives through its operational campaigns, notably SnatchCrypto. A significant part of this operation involves the GhostCall and GhostHire campaigns, which exploit social engineering tactics. The GhostCall campaign, operational since mid-2023, employs deceptive video conferencing to recruit victims. Attackers masquerade as venture capitalists via platforms like Telegram, using compromised accounts of legitimate entrepreneurs. They initiate contact with potential targets and arrange meetings through spoofed Zoom links or direct messages, utilizing disguised phishing URLs. The attackers leverage multi-stage execution chains; the infection typically begins with the DownTroy malware, which downloads various self-contained executables, including keyloggers and data stealers like CosmicDoor and RooTroy.", "modified": "2025-12-12T11:04:05.038000", "created": "2025-11-12T11:47:02.981000", "tags": [ "apple macos", "apt", "bluenoroff", "chatgpt", "github", "linux", "microsoft windows", "telegram", "windows", "applescript", "zoom", "cosmicdoor", "downtroy", "rootroy", "gillyinjector", "base64", "macos", "rust", "python", "swift", "powershell", "path", "macho", "sapphire", "downexec", "exodus", "target", "agent", "installer", "ditto", "effect", "install", "premium", "zero", "konni", "themida", "lsass", "exodus web3", "lazarus", "huntress", "nim", "c https", "googie llc", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate" ], "references": [ "https://securelist.ru/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/113883/" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "FileHash-MD5": 57, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "domain": 22, "hostname": 23 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "171 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69099ae3319099e17ce0969f", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-11-04T06:19:15.728000", "created": "2025-11-04T06:19:15.728000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6901bda4549c558a81dc00a5", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "209 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6902e567c252949d8c75e8c1", "name": "Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "", "modified": "2025-10-30T04:11:19.757000", "created": "2025-10-30T04:11:19.757000", "tags": [ "zoomclutch", "rootroy", "sysphon", "silentsiphon", "sneakmain", "cosmicdoor", "cryptocurrency" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842" ], "public": 1, "adversary": "BlueNoroff", "targeted_countries": [ "Australia", "British Indian Ocean Territory", "France", "Hong Kong", "India", "Italy", "Japan", "Singapore", "Spain", "Sweden" ], "malware_families": [ { "id": "ZoomClutch", "display_name": "ZoomClutch", "target": null }, { "id": "TeamsClutch", "display_name": "TeamsClutch", "target": null }, { "id": "DownTroy", "display_name": "DownTroy", "target": null }, { "id": "CosmicDoor", "display_name": "CosmicDoor", "target": null }, { "id": "RooTroy", "display_name": "RooTroy", "target": null }, { "id": "RealTimeTroy", "display_name": "RealTimeTroy", "target": null }, { "id": "SneakMain", "display_name": "SneakMain", "target": null }, { "id": "SysPhon", "display_name": "SysPhon", "target": null }, { "id": "SilentSiphon", "display_name": "SilentSiphon", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1559.001", "name": "Component Object Model", "display_name": "T1559.001 - Component Object Model" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "69003b85c217870cc5794cc6", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 13, "FileHash-SHA256": 21, "URL": 28, "domain": 21, "hostname": 20 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6901bda4549c558a81dc00a5", "name": "IOC - Crypto wasted: BlueNoroff\u2019s ghost mirage of funding and jobs", "description": "Primarily focused on financial gain since its appearance, BlueNoroff (aka. Sapphire Sleet, APT38, Alluring Pisces, Stardust Chollima, and TA444) has adopted new infiltration strategies and malware sets over time, but it still targets blockchain developers, C-level executives, and managers within the Web3/blockchain industry as part of its SnatchCrypto operation. Earlier this year, we conducted research into two malicious campaigns by BlueNoroff under the SnatchCrypto operation, which we dubbed GhostCall and GhostHire.", "modified": "2025-10-29T07:09:24.634000", "created": "2025-10-29T07:09:24.634000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [ "https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69010d8cbf528688e76b28a6", "name": "BlueNoroff Targets High Value Victims with New infiltration Methods", "description": "MSTeamsUpdate.sh, Safari update, and other updates are all part of the BBC's Newsround programme, which is broadcast live on BBC One from Monday, 2:00 BST.", "modified": "2025-10-28T18:39:19.476000", "created": "2025-10-28T18:38:04.399000", "tags": [ "googie llc", "cosmicdoor", "rust", "applescript", "teamsclutch", "microsoft teams", "downtroy v1", "safariupdate", "python", "rootroy chain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 56, "FileHash-SHA1": 25, "FileHash-SHA256": 25, "URL": 25, "domain": 21, "hostname": 18 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "216 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://file-server.store/update", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://file-server.store/update", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780380997.4556959 }