{ "type": "URL", "indicator": "https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3995226813, "indicator": "https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6716012a868b8277693de414", "name": "ClickFix tactic: The Phantom Meet - Sekoia.io Blog", "description": "A new social engineering tactic used by cybercrime groups to spread malware has been identified by researchers at Sekoia Research, a leading security firm, in a report published in the journal Security Research.", "modified": "2024-11-20T07:05:26.386000", "created": "2024-10-21T07:22:18.944000", "tags": [ "google meet", "clickfix", "amos stealer", "slavic nation", "empire", "sekoia", "commeet", "sha256", "telegram", "web3", "stealc", "facebook", "rhadamanthys", "powershell", "matanbuchus", "darkgate", "june", "clearfake", "august", "lumma stealer", "macos", "ultimate", "marko polo", "netsupport", "lumma", "amos" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Transport", "Logistics", "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 15, "domain": 145, "hostname": 7 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Marko Polo" ], "malware_families": [ "Matanbuchus", "Stealc", "Amos", "Netsupport", "Clickfix", "Lumma" ], "industries": [ "Finance", "Logistics", "Cryptocurrency", "Transport" ], "unique_indicators": 185 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "gist.github.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6716012a868b8277693de414", "name": "ClickFix tactic: The Phantom Meet - Sekoia.io Blog", "description": "A new social engineering tactic used by cybercrime groups to spread malware has been identified by researchers at Sekoia Research, a leading security firm, in a report published in the journal Security Research.", "modified": "2024-11-20T07:05:26.386000", "created": "2024-10-21T07:22:18.944000", "tags": [ "google meet", "clickfix", "amos stealer", "slavic nation", "empire", "sekoia", "commeet", "sha256", "telegram", "web3", "stealc", "facebook", "rhadamanthys", "powershell", "matanbuchus", "darkgate", "june", "clearfake", "august", "lumma stealer", "macos", "ultimate", "marko polo", "netsupport", "lumma", "amos" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Transport", "Logistics", "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 15, "domain": 145, "hostname": 7 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "556 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://gist.github.com/qbourgue/e7959e4089c1993045e01cb9c3cbc6a5", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170458.253833 }