{ "type": "URL", "indicator": "https://github-scanner.com/l6E.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github-scanner.com/l6E.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3978898126, "indicator": "https://github-scanner.com/l6E.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "673b4d7444eb18d613635395", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "The ClickFix social engineering technique, which tricks users into copying and running malicious PowerShell commands, has become increasingly prevalent across the threat landscape. Initially observed in campaigns by TA571 and ClearFake, it is now used by multiple threat actors to deliver various malware types. The technique often employs fake error messages or CAPTCHA checks to deceive users. Recent examples include GitHub notification impersonations delivering Lumma Stealer, Swiss-targeted campaigns distributing AsyncRAT, fake software updates deploying NetSupport RAT, and ChatGPT-themed malvertising delivering XWorm. The technique's popularity stems from its effectiveness in bypassing security measures by exploiting users' desire to resolve issues independently.", "modified": "2024-12-18T14:00:57.423000", "created": "2024-11-18T14:21:40.975000", "tags": [ "malware delivery", "cybersecurity", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "threat actors", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Transportation", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 77, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376726, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "673b3777fec02b9049e4aa52", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are employing ClickFix through compromised websites, documents, HTML attachments, and malicious URLs. Recent campaigns have included GitHub security vulnerability notifications, Swiss e-commerce marketplace impersonations, fake software updates, and ChatGPT-themed malvertising. The technique has been observed delivering various malware, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport. The popularity of ClickFix is attributed to its effectiveness in bypassing security protections by exploiting users' desire to be helpful and independent.", "modified": "2024-12-18T12:03:01.372000", "created": "2024-11-18T12:47:51.286000", "tags": [ "malware delivery", "threat landscape", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "phishing", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Transportation", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376725, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "662e0a50715909a2ce36d1d5", "name": "Jeroen Gui lists (https://file.jeroengui.be)", "description": "A pulse fed with lists taken from https://file.jeroengui.be . I am not him. Visit his website jeroengui.be", "modified": "2025-09-21T05:30:59.802000", "created": "2024-04-28T08:35:28.934000", "tags": [ "phishing", "jeroengui", "jeroen", "gui", "malware", "web", "shell", "scam", "malicious" ], "references": [], "public": 1, "adversary": "phishing ; jeroengui ; jeroen ; gui ; malware ; web ; shell", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1089, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 905612 }, "indicator_count": 905613, "is_author": false, "is_subscribing": null, "subscriber_count": 157, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "673c906dfcbf8f74c5261599", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at the \u00c2\u00a31.5bn (1bn euros) conference in New York, which is being held this week.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:19:41.117000", "tags": [ "proofpoint", "clickfix", "powershell", "html", "github", "clearfake", "september", "brute ratel", "ta571", "captcha", "asyncrat", "lumma stealer", "phish", "august", "ukraine", "xworm", "danabot", "darkgate", "verify", "agent", "aresloader", "purelog", "ta578", "ta579", "lumma", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "ClickFix", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Proofpoint", "display_name": "Proofpoint", "target": null }, { "id": "PureLog", "display_name": "PureLog", "target": null }, { "id": "TA578", "display_name": "TA578", "target": null }, { "id": "TA579", "display_name": "TA579", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 6, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f4369c8c456fad7f796ad2", "name": "Behind the CAPTCHA: A Clever Gateway of Malware (URLs) - McAfee post", "description": "Scanner only picked up hashes, as URLs were sanitized[.] Added the domain/URLs for this pulse.\nFrom: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/", "modified": "2024-09-25T16:13:16.579000", "created": "2024-09-25T16:13:16.579000", "tags": [ "malicious urls", "Lumma Stealer" ], "references": [ "Captcha_Lumma_URL_IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "domain": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "566 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Captcha_Lumma_URL_IOCs.csv", "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape", "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lucky volunteer", "Xworm", "Netsupport", "Lumma stealer", "Latrodectus", "Asyncrat", "Brute ratel c4", "Danabot", "Darkgate" ], "industries": [ "Government", "Technology", "Transportation", "Logistics" ], "unique_indicators": 32 }, "other": { "adversary": [ "phishing ; jeroengui ; jeroen ; gui ; malware ; web ; shell", "ClickFix" ], "malware_families": [ "Ta578", "Ta579", "Netsupport", "Lumma stealer", "Lumma", "Purelog", "Proofpoint", "Clickfix" ], "industries": [ "Government", "Higher education" ], "unique_indicators": 895513 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github-scanner.com", "whois": "http://whois.domaintools.com/github-scanner.com", "domain": "github-scanner.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "673b4d7444eb18d613635395", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "The ClickFix social engineering technique, which tricks users into copying and running malicious PowerShell commands, has become increasingly prevalent across the threat landscape. Initially observed in campaigns by TA571 and ClearFake, it is now used by multiple threat actors to deliver various malware types. The technique often employs fake error messages or CAPTCHA checks to deceive users. Recent examples include GitHub notification impersonations delivering Lumma Stealer, Swiss-targeted campaigns distributing AsyncRAT, fake software updates deploying NetSupport RAT, and ChatGPT-themed malvertising delivering XWorm. The technique's popularity stems from its effectiveness in bypassing security measures by exploiting users' desire to resolve issues independently.", "modified": "2024-12-18T14:00:57.423000", "created": "2024-11-18T14:21:40.975000", "tags": [ "malware delivery", "cybersecurity", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "threat actors", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Transportation", "Logistics" ], "TLP": "white", "cloned_from": null, "export_count": 77, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376726, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "673b3777fec02b9049e4aa52", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape", "description": "Proofpoint researchers have identified a surge in the ClickFix social engineering technique across the threat landscape. This technique uses dialogue boxes with fake error messages to trick users into copying, pasting, and running malicious content on their computers. Multiple threat actors are employing ClickFix through compromised websites, documents, HTML attachments, and malicious URLs. Recent campaigns have included GitHub security vulnerability notifications, Swiss e-commerce marketplace impersonations, fake software updates, and ChatGPT-themed malvertising. The technique has been observed delivering various malware, including AsyncRAT, Danabot, DarkGate, Lumma Stealer, and NetSupport. The popularity of ClickFix is attributed to its effectiveness in bypassing security protections by exploiting users' desire to be helpful and independent.", "modified": "2024-12-18T12:03:01.372000", "created": "2024-11-18T12:47:51.286000", "tags": [ "malware delivery", "threat landscape", "asyncrat", "social engineering", "darkgate", "lucky volunteer", "recaptcha phish", "danabot", "netsupport", "latrodectus", "lumma stealer", "xworm", "phishing", "powershell", "clickfix", "brute ratel c4" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "", "targeted_countries": [ "Switzerland", "Ukraine" ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Brute Ratel C4", "display_name": "Brute Ratel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "Lucky Volunteer", "display_name": "Lucky Volunteer", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Technology", "Transportation", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 5, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 376725, "modified_text": "482 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "662e0a50715909a2ce36d1d5", "name": "Jeroen Gui lists (https://file.jeroengui.be)", "description": "A pulse fed with lists taken from https://file.jeroengui.be . I am not him. Visit his website jeroengui.be", "modified": "2025-09-21T05:30:59.802000", "created": "2024-04-28T08:35:28.934000", "tags": [ "phishing", "jeroengui", "jeroen", "gui", "malware", "web", "shell", "scam", "malicious" ], "references": [], "public": 1, "adversary": "phishing ; jeroengui ; jeroen ; gui ; malware ; web ; shell", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1089, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tomtomalien", "id": "258713", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_258713/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 905612 }, "indicator_count": 905613, "is_author": false, "is_subscribing": null, "subscriber_count": 157, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "673c906dfcbf8f74c5261599", "name": "Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity provider, at the \u00c2\u00a31.5bn (1bn euros) conference in New York, which is being held this week.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:19:41.117000", "tags": [ "proofpoint", "clickfix", "powershell", "html", "github", "clearfake", "september", "brute ratel", "ta571", "captcha", "asyncrat", "lumma stealer", "phish", "august", "ukraine", "xworm", "danabot", "darkgate", "verify", "agent", "aresloader", "purelog", "ta578", "ta579", "lumma", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape" ], "public": 1, "adversary": "ClickFix", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Proofpoint", "display_name": "Proofpoint", "target": null }, { "id": "PureLog", "display_name": "PureLog", "target": null }, { "id": "TA578", "display_name": "TA578", "target": null }, { "id": "TA579", "display_name": "TA579", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 6, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f4369c8c456fad7f796ad2", "name": "Behind the CAPTCHA: A Clever Gateway of Malware (URLs) - McAfee post", "description": "Scanner only picked up hashes, as URLs were sanitized[.] Added the domain/URLs for this pulse.\nFrom: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/", "modified": "2024-09-25T16:13:16.579000", "created": "2024-09-25T16:13:16.579000", "tags": [ "malicious urls", "Lumma Stealer" ], "references": [ "Captcha_Lumma_URL_IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "domain": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "566 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github-scanner.com/l6E.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github-scanner.com/l6E.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776222412.4849827 }