{ "type": "URL", "indicator": "https://hell1-kitty.cc/gamecenter.fileManager", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://hell1-kitty.cc/gamecenter.fileManager", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4289339504, "indicator": "https://hell1-kitty.cc/gamecenter.fileManager", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0d2c740aaef53bdd9ca167", "name": "IOC - Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.", "modified": "2026-05-20T03:37:24.680000", "created": "2026-05-20T03:37:24.680000", "tags": [ "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a079c15df0e628e840b536c", "name": "IBCART", "description": "Michigan is the only country in the United States with a record number of members of the House of Representatives with an all-time record of 20,000 members, all but one of them female.", "modified": "2026-05-15T22:20:05.679000", "created": "2026-05-15T22:20:05.679000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 28, "URL": 22, "FileHash-MD5": 108, "FileHash-SHA1": 9, "FileHash-SHA256": 25, "domain": 59, "hostname": 415 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07476c4037c7147786fb54", "name": "Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "The recent CountLoader campaign, identified by McAfee Labs, exemplifies a sophisticated method of cyberattack featuring multiple layers of obfuscation and a complex infection chain. The attackers utilize various loaders including PowerShell scripts and obfuscated JavaScript executed via mshta.exe to facilitate the infection process. Each stage of this process is designed to remain hidden, employing in-memory shellcode injection techniques that further complicate detection efforts.", "modified": "2026-05-15T16:18:52.891000", "created": "2026-05-15T16:18:52.891000", "tags": [ "compromise ioc", "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccc4e875fb8ee38f78fe74", "name": "dsfdfvgdvdf", "description": "", "modified": "2026-04-01T07:10:32.762000", "created": "2026-04-01T07:10:32.762000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 53 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager" ], "malware_families": [], "industries": [ "Finance" ], "unique_indicators": 1684 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hell1-kitty.cc", "whois": "http://whois.domaintools.com/hell1-kitty.cc", "domain": "hell1-kitty.cc", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0d2c740aaef53bdd9ca167", "name": "IOC - Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers.", "modified": "2026-05-20T03:37:24.680000", "created": "2026-05-20T03:37:24.680000", "tags": [ "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a079c15df0e628e840b536c", "name": "IBCART", "description": "Michigan is the only country in the United States with a record number of members of the House of Representatives with an all-time record of 20,000 members, all but one of them female.", "modified": "2026-05-15T22:20:05.679000", "created": "2026-05-15T22:20:05.679000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 28, "URL": 22, "FileHash-MD5": 108, "FileHash-SHA1": 9, "FileHash-SHA256": 25, "domain": 59, "hostname": 415 }, "indicator_count": 666, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a07476c4037c7147786fb54", "name": "Sinkholing CountLoader: Insights into Its Recent Campaign", "description": "The recent CountLoader campaign, identified by McAfee Labs, exemplifies a sophisticated method of cyberattack featuring multiple layers of obfuscation and a complex infection chain. The attackers utilize various loaders including PowerShell scripts and obfuscated JavaScript executed via mshta.exe to facilitate the infection process. Each stage of this process is designed to remain hidden, employing in-memory shellcode injection techniques that further complicate detection efforts.", "modified": "2026-05-15T16:18:52.891000", "created": "2026-05-15T16:18:52.891000", "tags": [ "compromise ioc", "ps url", "urls https", "countloader c2", "domains", "c2 https" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sinkholing-countloader-insights-into-its-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 19, "domain": 24 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccc4e875fb8ee38f78fe74", "name": "dsfdfvgdvdf", "description": "", "modified": "2026-04-01T07:10:32.762000", "created": "2026-04-01T07:10:32.762000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 53 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://hell1-kitty.cc/gamecenter.fileManager", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://hell1-kitty.cc/gamecenter.fileManager", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780206250.464827 }