{ "type": "URL", "indicator": "https://golden-scalen.com/files/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://golden-scalen.com/files/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4009029855, "indicator": "https://golden-scalen.com/files/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "674de977b41339ca66388410", "name": "Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT", "description": "The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.", "modified": "2024-12-03T15:13:21.665000", "created": "2024-12-02T17:08:07.758000", "tags": [ "meduza", "remote access", "burnsrat", "netsupport rat" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "Mustard Tempest", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "BurnsRAT", "display_name": "BurnsRAT", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Meduza", "display_name": "Meduza", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "674f6fd8047b5a24c9b5791f", "name": "Horns&Hooves Campaign Targets Users with Malware via Phishing", "description": "Researchers have identified a malware campaign known as Horns&Hooves, targeting private users, retailers, and service businesses primarily in Russia. The campaign has affected over 1,000 victims since its onset in March 2023. Its primary tactic involves sending emails that appear legitimate, featuring ZIP archives that contain JScript scripts. These scripts are cleverly disguised as routine business communications like customer requests or partnership bids.", "modified": "2025-01-06T23:11:08.362000", "created": "2024-12-03T20:53:44.192000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6751b435e2401f5c2025d1cb", "name": "NetSupport RAT and RMS in malicious emails | Securelist", "description": "A Russian cyber-security firm, Kaspersky, has revealed details of a malicious email campaign that began in September 2016 and will last for at least three years to the end of the year.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T14:09:57.863000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "rhadamanthys", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "related": { "alienvault": { "adversary": [ "Mustard Tempest" ], "malware_families": [ "Netsupport rat", "Burnsrat", "Meduza", "Rhadamanthys" ], "industries": [ "Retail" ], "unique_indicators": 41 }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Trojans", "Netsupport", "\u0417\u0430\u043f\u0440\u043e\u0441", "Horns&hooves", "Rms" ], "industries": [], "unique_indicators": 78 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/golden-scalen.com", "whois": "http://whois.domaintools.com/golden-scalen.com", "domain": "golden-scalen.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "674de977b41339ca66388410", "name": "Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT", "description": "The Horns&Hooves campaign, active since March 2023, targets Russian businesses with malicious email attachments containing scripts that install NetSupport RAT or BurnsRAT. The campaign evolved through several versions, improving obfuscation and delivery methods. It uses decoy documents and legitimate-looking file names to trick users. The attackers, likely associated with the TA569 group, gain remote access to infected systems and potentially sell this access to other cybercriminals. The campaign has affected over a thousand users, primarily in Russia, and has been observed attempting to install additional malware like Rhadamanthys and Meduza stealers.", "modified": "2024-12-03T15:13:21.665000", "created": "2024-12-02T17:08:07.758000", "tags": [ "meduza", "remote access", "burnsrat", "netsupport rat" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "Mustard Tempest", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null }, { "id": "BurnsRAT", "display_name": "BurnsRAT", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Meduza", "display_name": "Meduza", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Retail" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386507, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "674f6fd8047b5a24c9b5791f", "name": "Horns&Hooves Campaign Targets Users with Malware via Phishing", "description": "Researchers have identified a malware campaign known as Horns&Hooves, targeting private users, retailers, and service businesses primarily in Russia. The campaign has affected over 1,000 victims since its onset in March 2023. Its primary tactic involves sending emails that appear legitimate, featuring ZIP archives that contain JScript scripts. These scripts are cleverly disguised as routine business communications like customer requests or partnership bids.", "modified": "2025-01-06T23:11:08.362000", "created": "2024-12-03T20:53:44.192000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6751b435e2401f5c2025d1cb", "name": "NetSupport RAT and RMS in malicious emails | Securelist", "description": "A Russian cyber-security firm, Kaspersky, has revealed details of a malicious email campaign that began in September 2016 and will last for at least three years to the end of the year.", "modified": "2025-01-06T23:11:01.995000", "created": "2024-12-05T14:09:57.863000", "tags": [ "burnsrat", "javascript", "malware", "malware descriptions", "malware statistics", "malware technologies", "netsupport rat", "phishing", "rat trojan", "horns", "ta569", "hooves", "request", "appdata", "rdp wrapper", "zip archive", "september", "april", "openssl", "rhadamanthys", "august", "malicious", "capture", "june", "february", "date", "meduza", "\u0437\u0430\u043f\u0440\u043e\u0441", "trojans", "horns&hooves", "rms", "netsupport" ], "references": [ "https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "Germany", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "\u0417\u0430\u043f\u0440\u043e\u0441", "display_name": "\u0417\u0430\u043f\u0440\u043e\u0441", "target": null }, { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Horns&Hooves", "display_name": "Horns&Hooves", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 18, "domain": 9, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "509 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://golden-scalen.com/files/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://golden-scalen.com/files/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222107.276103 }