{ "type": "URL", "indicator": "https://file.bigcloud.n-e.kr/index.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://file.bigcloud.n-e.kr/index.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4358955721, "indicator": "https://file.bigcloud.n-e.kr/index.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a05af0979e3cc1214a50d4e", "name": "Disclosing new PebbleDash-based tools", "description": "Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...", "modified": "2026-05-14T18:12:49.059000", "created": "2026-05-14T11:16:25.351000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a06a56c4de4473292916686", "name": "Disclosing new PebbleDash-based tools", "description": "", "modified": "2026-05-15T04:47:40.282000", "created": "2026-05-15T04:47:40.282000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "6a05af0979e3cc1214a50d4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "related": { "alienvault": { "adversary": [ "Kimsuky" ], "malware_families": [ "Happydoor", "Troll stealer", "Zichatbot", "Babyshark - s0414", "Xenorat", "Valleyrat", "Httpspy", "Memload", "Xrat", "Httptroy", "Tutrat", "Coolclient", "Appleseed - s0622", "Httpmalice", "Randomquery", "Hellodoor" ], "industries": [ "Healthcare", "Manufacturing", "Defense", "Energy", "Government" ], "unique_indicators": 50 }, "other": { "adversary": [ "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "Kimsuky" ], "malware_families": [ "Happydoor", "Troll stealer", "Zichatbot", "Babyshark - s0414", "Xenorat", "Valleyrat", "Httpspy", "Memload", "Xrat", "Httptroy", "Tutrat", "Coolclient", "Appleseed - s0622", "Httpmalice", "Randomquery", "Hellodoor" ], "industries": [ "Healthcare", "Manufacturing", "Defense", "Energy", "Government" ], "unique_indicators": 1023 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/n-e.kr", "whois": "http://whois.domaintools.com/n-e.kr", "domain": "n-e.kr", "hostname": "file.bigcloud.n-e.kr" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a05af0979e3cc1214a50d4e", "name": "Disclosing new PebbleDash-based tools", "description": "Kaspersky researchers conducted an in-depth analysis of Kimsuky APT activity, revealing tactical shifts and new malware variants based on the PebbleDash platform. The group introduced HelloDoor, a Rust-based backdoor, httpMalice leveraging HTTP and Dropbox communications, and updated MemLoad and httpTroy variants. Kimsuky maintains persistence through legitimate tools including VSCode Tunneling with GitHub authentication and DWAgent remote management software. Initial access occurs via spear-phishing with malicious attachments disguised as documents. The group primarily targets South Korean entities across government and defense sectors, with additional PebbleDash attacks observed in Brazil and Germany. Infrastructure relies on free South Korean hosting services and tunneling services like Cloudflare Quick Tunnels and Ngrok. Both PebbleDash and AppleSeed malware clusters demonstrate ongoing development with shared distribution methods, stolen certificates, and overlapping targets, indicating single-actor c...", "modified": "2026-05-14T18:12:49.059000", "created": "2026-05-14T11:16:25.351000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a06a56c4de4473292916686", "name": "Disclosing new PebbleDash-based tools", "description": "", "modified": "2026-05-15T04:47:40.282000", "created": "2026-05-15T04:47:40.282000", "tags": [ "xrat", "vscode tunneling", "appleseed", "httptroy", "kimsuky", "spear-phishing", "south korea", "babyshark", "tutrat", "coolclient", "httpmalice", "zichatbot", "memload", "httpspy", "dwagent", "valleyrat", "happydoor", "pebbledash", "randomquery", "xenorat", "troll stealer", "hellodoor" ], "references": [ "https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "HelloDoor", "display_name": "HelloDoor", "target": null }, { "id": "httpMalice", "display_name": "httpMalice", "target": null }, { "id": "MemLoad", "display_name": "MemLoad", "target": null }, { "id": "httpTroy", "display_name": "httpTroy", "target": null }, { "id": "AppleSeed - S0622", "display_name": "AppleSeed - S0622", "target": null }, { "id": "HappyDoor", "display_name": "HappyDoor", "target": null }, { "id": "BabyShark - S0414", "display_name": "BabyShark - S0414", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "xRAT", "display_name": "xRAT", "target": null }, { "id": "XenoRAT", "display_name": "XenoRAT", "target": null }, { "id": "TutRAT", "display_name": "TutRAT", "target": null }, { "id": "httpSpy", "display_name": "httpSpy", "target": null }, { "id": "Troll Stealer", "display_name": "Troll Stealer", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ZiChatBot", "display_name": "ZiChatBot", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Defense", "Government", "Healthcare", "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "6a05af0979e3cc1214a50d4e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 6, "FileHash-SHA256": 4, "URL": 5, "domain": 1, "hostname": 15 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://file.bigcloud.n-e.kr/index.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://file.bigcloud.n-e.kr/index.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780200705.7524323 }