{ "type": "URL", "indicator": "https://github.githubassets.com/assets/light-5178aee0ee76.css", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.githubassets.com/assets/light-5178aee0ee76.css", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain githubassets.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4074865022, "indicator": "https://github.githubassets.com/assets/light-5178aee0ee76.css", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a0dad06d8bb37ada19229bc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:45:58.360000", "created": "2026-05-20T12:45:58.360000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb22ae45efab0266fc2", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.775000", "created": "2026-05-20T12:44:34.775000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb2971f3103a0dddbcc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.547000", "created": "2026-05-20T12:44:34.547000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cobalt strike" ], "industries": [], "unique_indicators": 947 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/githubassets.com", "whois": "http://whois.domaintools.com/githubassets.com", "domain": "githubassets.com", "hostname": "github.githubassets.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a0dad06d8bb37ada19229bc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:45:58.360000", "created": "2026-05-20T12:45:58.360000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb22ae45efab0266fc2", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.775000", "created": "2026-05-20T12:44:34.775000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb2971f3103a0dddbcc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.547000", "created": "2026-05-20T12:44:34.547000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.githubassets.com/assets/light-5178aee0ee76.css", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.githubassets.com/assets/light-5178aee0ee76.css", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223546.4392998 }