{ "type": "URL", "indicator": "https://fonts.shopifycdn.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://fonts.shopifycdn.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #2580", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain shopifycdn.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3776586875, "indicator": "https://fonts.shopifycdn.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68d62e5e038c036204e489ba", "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |", "description": "DiabloFans.com redirects to curse.llc a shopify storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C", "modified": "2025-10-26T05:01:11.780000", "created": "2025-09-26T06:10:38.550000", "tags": [ "handle", "entity", "host name", "rdap database", "iana registrar", "roles", "dnssec", "links", "namecheap", "namecheap inc", "script urls", "united", "unknown ns", "moved", "script domains", "passive dns", "ip address", "body", "gmt content", "type", "title", "date", "meta", "request", "get updates", "common upatre", "p2p zeus", "common header", "struct", "downloader", "exe download", "terse", "regsetvalueexa", "execution", "dock", "write", "next", "win32", "persistence", "malware", "copy", "unknown", "canada unknown", "alfper", "entries", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location canada", "twitter", "present sep", "cname", "name servers", "search", "creation date", "canada", "certificate", "trojan", "ontario", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "development att", "href", "show technique", "mitre att", "ck matrix", "script", "network related", "input url", "network traffic", "t1204", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "flag", "canada canada", "strings", "cloudflar", "google", "googlecl", "facebook", "as autonomous", "system", "hetznera", "detail domain", "domain tree", "links domain", "requested", "url https", "general full", "name value", "resource", "asn13335", "cloudflarenet", "hash", "protocol h3", "express", "value", "please", "automatic", "webgl", "september", "variables", "shopify", "shopifypay", "st boolean", "shopifyforms", "raven", "hstr", "next associated", "mtb may", "ipv4 add", "trojanspy", "trojandropper", "span", "path", "button", "circle", "link", "keychains", "choose", "input", "small", "close", "form", "stop", "anime", "kitty", "iframe", "null", "open", "tarot", "footer", "curse", "first", "back", "error", "config", "contact", "signs", "main", "payment", "window" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 236, "FileHash-MD5": 320, "FileHash-SHA1": 314, "FileHash-SHA256": 2288, "URL": 889, "hostname": 361, "SSLCertFingerprint": 1, "email": 2, "CVE": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653d93d7558363942a332cd9", "name": "CVE-2023-43694", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-28T23:05:59.680000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "URL": 775, "FileHash-SHA1": 549, "domain": 453, "hostname": 292, "email": 5, "FileHash-SHA256": 2610, "FileHash-MD5": 586 }, "indicator_count": 5272, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "919 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 9680 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/shopifycdn.com", "whois": "http://whois.domaintools.com/shopifycdn.com", "domain": "shopifycdn.com", "hostname": "fonts.shopifycdn.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68d62e5e038c036204e489ba", "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |", "description": "DiabloFans.com redirects to curse.llc a shopify storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C", "modified": "2025-10-26T05:01:11.780000", "created": "2025-09-26T06:10:38.550000", "tags": [ "handle", "entity", "host name", "rdap database", "iana registrar", "roles", "dnssec", "links", "namecheap", "namecheap inc", "script urls", "united", "unknown ns", "moved", "script domains", "passive dns", "ip address", "body", "gmt content", "type", "title", "date", "meta", "request", "get updates", "common upatre", "p2p zeus", "common header", "struct", "downloader", "exe download", "terse", "regsetvalueexa", "execution", "dock", "write", "next", "win32", "persistence", "malware", "copy", "unknown", "canada unknown", "alfper", "entries", "ipv4", "pulse pulses", "urls", "files", "reverse dns", "location canada", "twitter", "present sep", "cname", "name servers", "search", "creation date", "canada", "certificate", "trojan", "ontario", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "development att", "href", "show technique", "mitre att", "ck matrix", "script", "network related", "input url", "network traffic", "t1204", "copy md5", "copy sha1", "copy sha256", "size", "sha1", "sha256", "flag", "canada canada", "strings", "cloudflar", "google", "googlecl", "facebook", "as autonomous", "system", "hetznera", "detail domain", "domain tree", "links domain", "requested", "url https", "general full", "name value", "resource", "asn13335", "cloudflarenet", "hash", "protocol h3", "express", "value", "please", "automatic", "webgl", "september", "variables", "shopify", "shopifypay", "st boolean", "shopifyforms", "raven", "hstr", "next associated", "mtb may", "ipv4 add", "trojanspy", "trojandropper", "span", "path", "button", "circle", "link", "keychains", "choose", "input", "small", "close", "form", "stop", "anime", "kitty", "iframe", "null", "open", "tarot", "footer", "curse", "first", "back", "error", "config", "contact", "signs", "main", "payment", "window" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 236, "FileHash-MD5": 320, "FileHash-SHA1": 314, "FileHash-SHA256": 2288, "URL": 889, "hostname": 361, "SSLCertFingerprint": 1, "email": 2, "CVE": 1 }, "indicator_count": 4412, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653d93d7558363942a332cd9", "name": "CVE-2023-43694", "description": "", "modified": "2023-11-27T23:02:02.229000", "created": "2023-10-28T23:05:59.680000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "URL": 775, "FileHash-SHA1": 549, "domain": 453, "hostname": 292, "email": 5, "FileHash-SHA256": 2610, "FileHash-MD5": 586 }, "indicator_count": 5272, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "919 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://fonts.shopifycdn.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://fonts.shopifycdn.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780529563.7997572 }