{ "type": "URL", "indicator": "https://greenxeonsr.info/Jsdfwejhrg.rko", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://greenxeonsr.info/Jsdfwejhrg.rko", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4137194691, "indicator": "https://greenxeonsr.info/Jsdfwejhrg.rko", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68df41b70832812f00aff2f3", "name": "Confucius Espionage: From Stealer to Backdoor", "description": "The Confucius group, a long-running cyber-espionage actor operating in South Asia, has evolved its tactics from document stealers to Python-based backdoors. Recent campaigns showcase the group's adaptability and growing sophistication, targeting government agencies, military organizations, and critical industries, particularly in Pakistan. The group has transitioned from using WooperStealer to deploying a Python variant of AnonDoor, demonstrating their ability to pivot between techniques, infrastructure, and malware families. Their attack chain includes weaponized Office documents, malicious LNK files, and multiple malware families, employing obfuscation techniques to evade detection. The group's persistence and rapid adaptation highlight the ongoing threat posed by state-aligned malware campaigns in the region.", "modified": "2025-10-03T08:55:56.786000", "created": "2025-10-03T03:23:35.990000", "tags": [ "anondoor", "south asia", "python backdoor", "pakistan", "cyber-espionage", "obfuscation", "lnk files", "wooperstealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor" ], "public": 1, "adversary": "Confucius", "targeted_countries": [ "Pakistan" ], "malware_families": [ { "id": "WooperStealer", "display_name": "WooperStealer", "target": null }, { "id": "AnonDoor", "display_name": "AnonDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 10, "domain": 8 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e3661756e2bfe3fdcc76d8", "name": "Confucius Espionage: From Stealer to Backdoor", "description": "", "modified": "2025-10-06T06:47:51.017000", "created": "2025-10-06T06:47:51.017000", "tags": [ "anondoor", "south asia", "python backdoor", "pakistan", "cyber-espionage", "obfuscation", "lnk files", "wooperstealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor" ], "public": 1, "adversary": "Confucius", "targeted_countries": [ "Pakistan" ], "malware_families": [ { "id": "WooperStealer", "display_name": "WooperStealer", "target": null }, { "id": "AnonDoor", "display_name": "AnonDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "68df41b70832812f00aff2f3", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 10, "domain": 8 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "237 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor", "IOCs_Oct week-1.pdf" ], "related": { "alienvault": { "adversary": [ "Confucius" ], "malware_families": [ "Anondoor", "Wooperstealer" ], "industries": [ "Defense", "Government" ], "unique_indicators": 26 }, "other": { "adversary": [ "Multiple APT/Malware", "Confucius" ], "malware_families": [ "Anondoor", "Wooperstealer" ], "industries": [ "Defense", "Government" ], "unique_indicators": 862 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/greenxeonsr.info", "whois": "http://whois.domaintools.com/greenxeonsr.info", "domain": "greenxeonsr.info", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68df41b70832812f00aff2f3", "name": "Confucius Espionage: From Stealer to Backdoor", "description": "The Confucius group, a long-running cyber-espionage actor operating in South Asia, has evolved its tactics from document stealers to Python-based backdoors. Recent campaigns showcase the group's adaptability and growing sophistication, targeting government agencies, military organizations, and critical industries, particularly in Pakistan. The group has transitioned from using WooperStealer to deploying a Python variant of AnonDoor, demonstrating their ability to pivot between techniques, infrastructure, and malware families. Their attack chain includes weaponized Office documents, malicious LNK files, and multiple malware families, employing obfuscation techniques to evade detection. The group's persistence and rapid adaptation highlight the ongoing threat posed by state-aligned malware campaigns in the region.", "modified": "2025-10-03T08:55:56.786000", "created": "2025-10-03T03:23:35.990000", "tags": [ "anondoor", "south asia", "python backdoor", "pakistan", "cyber-espionage", "obfuscation", "lnk files", "wooperstealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor" ], "public": 1, "adversary": "Confucius", "targeted_countries": [ "Pakistan" ], "malware_families": [ { "id": "WooperStealer", "display_name": "WooperStealer", "target": null }, { "id": "AnonDoor", "display_name": "AnonDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 10, "domain": 8 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e3661756e2bfe3fdcc76d8", "name": "Confucius Espionage: From Stealer to Backdoor", "description": "", "modified": "2025-10-06T06:47:51.017000", "created": "2025-10-06T06:47:51.017000", "tags": [ "anondoor", "south asia", "python backdoor", "pakistan", "cyber-espionage", "obfuscation", "lnk files", "wooperstealer" ], "references": [ "https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor" ], "public": 1, "adversary": "Confucius", "targeted_countries": [ "Pakistan" ], "malware_families": [ { "id": "WooperStealer", "display_name": "WooperStealer", "target": null }, { "id": "AnonDoor", "display_name": "AnonDoor", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "68df41b70832812f00aff2f3", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 10, "domain": 8 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "237 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://greenxeonsr.info/Jsdfwejhrg.rko", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://greenxeonsr.info/Jsdfwejhrg.rko", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226664.5485191 }