{ "type": "URL", "indicator": "https://fr.li", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://fr.li", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4042458756, "indicator": "https://fr.li", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68b333946d662330bd8d45d9", "name": "VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attack.", "description": "Between June and July 2025, a series of coordinated brute force and password spraying attacks were orchestrated from a group of Ukrainian networks, including FDN3, VAIZ, and E-RISHENNYA, alongside a Seychelles-based network known as TK-NET. FDN3, attributed to FOP Dmytro Nedilskyi and identified as AS211736, was particularly active, targeting SSL VPN and RDP devices and executing hundreds of thousands of such attacks over spans of up to three days. The malicious infrastructure exploited shared IPv4 prefixes among itself and its affiliated networks to bypass blocklists, indicating a sophisticated evasive strategy likely managed by a common administrator.", "modified": "2025-09-29T17:01:07.026000", "created": "2025-08-30T17:23:32.274000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be5c2e972874afe87ac04b", "name": "A nebula of Ukrainian networks engaged in brute force and password spraying", "description": "", "modified": "2025-09-29T17:01:07.026000", "created": "2025-09-08T04:31:42.645000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": "68b333946d662330bd8d45d9", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683b48483f80b827f6c6b909", "name": "Analyzing Noisy Networks and Malicious Traffic Through Masscan Servers", "description": "The identification of noisy networks that emit malicious traffic, utilizing Masscan servers as a critical tool for analysis. Through detailed methodologies and findings, the document offers valuable insights for cybersecurity professionals looking to enhance their threat detection capabilities.", "modified": "2025-06-30T18:02:45.098000", "created": "2025-05-31T18:19:52.927000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/05/TLP-CLEAR-BtHoster-Identifying-noisy-networks-emitting-malicious-traffic-through-masscan-servers-1.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "FileHash-MD5": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 12, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c586b5bacba874edce2bcb", "name": "PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks", "description": "The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services named \u2018SecureHost\u2018 and \u2018BEARHOST\u2018. We notably observed that both network\u2019s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.", "modified": "2025-04-29T14:22:22.704000", "created": "2025-03-03T10:38:45.845000", "tags": [], "references": [ "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 13, "URL": 20, "domain": 100, "email": 2, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "397 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/05/TLP-CLEAR-BtHoster-Identifying-noisy-networks-emitting-malicious-traffic-through-masscan-servers-1.pdf", "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf", "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 333 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fr.li", "whois": "http://whois.domaintools.com/fr.li", "domain": "fr.li", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68b333946d662330bd8d45d9", "name": "VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attack.", "description": "Between June and July 2025, a series of coordinated brute force and password spraying attacks were orchestrated from a group of Ukrainian networks, including FDN3, VAIZ, and E-RISHENNYA, alongside a Seychelles-based network known as TK-NET. FDN3, attributed to FOP Dmytro Nedilskyi and identified as AS211736, was particularly active, targeting SSL VPN and RDP devices and executing hundreds of thousands of such attacks over spans of up to three days. The malicious infrastructure exploited shared IPv4 prefixes among itself and its affiliated networks to bypass blocklists, indicating a sophisticated evasive strategy likely managed by a common administrator.", "modified": "2025-09-29T17:01:07.026000", "created": "2025-08-30T17:23:32.274000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be5c2e972874afe87ac04b", "name": "A nebula of Ukrainian networks engaged in brute force and password spraying", "description": "", "modified": "2025-09-29T17:01:07.026000", "created": "2025-09-08T04:31:42.645000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": "68b333946d662330bd8d45d9", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683b48483f80b827f6c6b909", "name": "Analyzing Noisy Networks and Malicious Traffic Through Masscan Servers", "description": "The identification of noisy networks that emit malicious traffic, utilizing Masscan servers as a critical tool for analysis. Through detailed methodologies and findings, the document offers valuable insights for cybersecurity professionals looking to enhance their threat detection capabilities.", "modified": "2025-06-30T18:02:45.098000", "created": "2025-05-31T18:19:52.927000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/05/TLP-CLEAR-BtHoster-Identifying-noisy-networks-emitting-malicious-traffic-through-masscan-servers-1.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "FileHash-MD5": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 12, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c586b5bacba874edce2bcb", "name": "PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks", "description": "The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services named \u2018SecureHost\u2018 and \u2018BEARHOST\u2018. We notably observed that both network\u2019s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.", "modified": "2025-04-29T14:22:22.704000", "created": "2025-03-03T10:38:45.845000", "tags": [], "references": [ "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 13, "URL": 20, "domain": 100, "email": 2, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "397 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://fr.li", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://fr.li", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780304488.9162054 }