{ "type": "URL", "indicator": "https://journalide.org/djour.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://journalide.org/djour.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3667737968, "indicator": "https://journalide.org/djour.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69d3553a6a951fc038ecfdbf", "name": "cloning so mine dont go missing clone arek-btc credit Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX CREATED 10 MONTHS AGO MODIFIED 9 MONTHS AGO by Arek-BTC", "description": "", "modified": "2026-04-06T06:43:36.386000", "created": "2026-04-06T06:39:54.842000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "684143b86c3aa6bb874c7673", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 4, "URL": 17, "email": 3, "hostname": 5, "FileHash-MD5": 64, "FileHash-SHA1": 20, "FileHash-SHA256": 68, "domain": 15, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684143b86c3aa6bb874c7673", "name": "Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-07-05T07:02:43.264000", "created": "2025-06-05T07:13:58.467000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 3, "URL": 13, "email": 3, "hostname": 3, "FileHash-MD5": 57, "FileHash-SHA1": 15, "FileHash-SHA256": 42, "domain": 15 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6446448ba212aebffbff0521", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-24T08:57:47.853000", "created": "2023-04-24T08:57:47.853000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6446446689d32b09abe6e49d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1133 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6446446689d32b09abe6e49d", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-24T08:57:10.197000", "created": "2023-04-24T08:57:10.197000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441964769a8efb69bb45f90", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1133 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64429da483a1b9f1e06e8db3", "name": " Linux malware strengthens links between Lazarus and the 3CX supply-chain attack | WeLiveSecurity", "description": "", "modified": "2023-04-21T14:28:52.179000", "created": "2023-04-21T14:28:52.179000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "64429d16134fbc3a29a332ed", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "YARA": 1, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644282e508213ef0ee3d90ae", "name": "Lazarus hackers now push Linux malware via fake job offers", "description": "A new Lazarus campaign considered part of \"Operation DreamJob\" has been discovered targeting Linux users with malware for the first time.\n\nThis new targeting was discovered by ESET's researchers, who say it also helps confirm with high confidence that Lazarus conducted the recent supply-chain attack on VoIP provider 3CX.\n\nThe attack was discovered in March 2023, compromising multiple companies that used the trojanized version of the 3CX client with information-stealing trojans.", "modified": "2023-04-21T12:34:45.321000", "created": "2023-04-21T12:34:45.321000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/", "https://www.bleepingcomputer.com/news/security/lazarus-hackers-now-push-linux-malware-via-fake-job-offers/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 296, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 2, "YARA": 1, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6441964769a8efb69bb45f90", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-20T19:45:11.099000", "created": "2023-04-20T19:45:11.099000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441714f4e386bcc8270f33a", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64419390afa37caafab1b2fe", "name": "Linux malware strengthens links between Lazarus and the 3CX supply chain attack", "description": "", "modified": "2023-04-20T19:33:36.834000", "created": "2023-04-20T19:33:36.834000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441714f4e386bcc8270f33a", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sciurinae", "id": "204640", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6441714f4e386bcc8270f33a", "name": "Linux malware strengthens links between Lazarus and the 3CX supply chain attack | WeLiveSecurity", "description": "ESET researchers have found new evidence that North Korea-aligned hackers are behind a recent supply-chain attack on the 3CX VoIP software developer and distributor, and that they are targeting Linux users.", "modified": "2023-04-20T17:07:49.387000", "created": "2023-04-20T17:07:27.223000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 166, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/", "http://dlvr.it/Sn3dHM", "https://www.bleepingcomputer.com/news/security/lazarus-hackers-now-push-linux-malware-via-fake-job-offers/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Tabla 1", "Iconicloader", "Simplextea linux", "Macos", "Upload", "Simplextea", "Figura", "Simplesea", "Linux dreamjob", "Badcall", "Windows", "Odicloader", "Simplesea macos", "Linux" ], "industries": [ "Military", "Hospitality", "Healthcare", "Cryptocurrency", "Aerospace", "Defense" ], "unique_indicators": 193 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/journalide.org", "whois": "http://whois.domaintools.com/journalide.org", "domain": "journalide.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69d3553a6a951fc038ecfdbf", "name": "cloning so mine dont go missing clone arek-btc credit Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX CREATED 10 MONTHS AGO MODIFIED 9 MONTHS AGO by Arek-BTC", "description": "", "modified": "2026-04-06T06:43:36.386000", "created": "2026-04-06T06:39:54.842000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "684143b86c3aa6bb874c7673", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 4, "URL": 17, "email": 3, "hostname": 5, "FileHash-MD5": 64, "FileHash-SHA1": 20, "FileHash-SHA256": 68, "domain": 15, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684143b86c3aa6bb874c7673", "name": "Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-07-05T07:02:43.264000", "created": "2025-06-05T07:13:58.467000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 3, "URL": 13, "email": 3, "hostname": 3, "FileHash-MD5": 57, "FileHash-SHA1": 15, "FileHash-SHA256": 42, "domain": 15 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6446448ba212aebffbff0521", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-24T08:57:47.853000", "created": "2023-04-24T08:57:47.853000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6446446689d32b09abe6e49d", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1133 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6446446689d32b09abe6e49d", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-24T08:57:10.197000", "created": "2023-04-24T08:57:10.197000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441964769a8efb69bb45f90", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1133 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64429da483a1b9f1e06e8db3", "name": " Linux malware strengthens links between Lazarus and the 3CX supply-chain attack | WeLiveSecurity", "description": "", "modified": "2023-04-21T14:28:52.179000", "created": "2023-04-21T14:28:52.179000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "64429d16134fbc3a29a332ed", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "YARA": 1, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644282e508213ef0ee3d90ae", "name": "Lazarus hackers now push Linux malware via fake job offers", "description": "A new Lazarus campaign considered part of \"Operation DreamJob\" has been discovered targeting Linux users with malware for the first time.\n\nThis new targeting was discovered by ESET's researchers, who say it also helps confirm with high confidence that Lazarus conducted the recent supply-chain attack on VoIP provider 3CX.\n\nThe attack was discovered in March 2023, compromising multiple companies that used the trojanized version of the 3CX client with information-stealing trojans.", "modified": "2023-04-21T12:34:45.321000", "created": "2023-04-21T12:34:45.321000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/", "https://www.bleepingcomputer.com/news/security/lazarus-hackers-now-push-linux-malware-via-fake-job-offers/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 296, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 2, "YARA": 1, "domain": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1136 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6441964769a8efb69bb45f90", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "description": "", "modified": "2023-04-20T19:45:11.099000", "created": "2023-04-20T19:45:11.099000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441714f4e386bcc8270f33a", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64419390afa37caafab1b2fe", "name": "Linux malware strengthens links between Lazarus and the 3CX supply chain attack", "description": "", "modified": "2023-04-20T19:33:36.834000", "created": "2023-04-20T19:33:36.834000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": "6441714f4e386bcc8270f33a", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sciurinae", "id": "204640", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6441714f4e386bcc8270f33a", "name": "Linux malware strengthens links between Lazarus and the 3CX supply chain attack | WeLiveSecurity", "description": "ESET researchers have found new evidence that North Korea-aligned hackers are behind a recent supply-chain attack on the 3CX VoIP software developer and distributor, and that they are targeting Linux users.", "modified": "2023-04-20T17:07:49.387000", "created": "2023-04-20T17:07:27.223000", "tags": [ "lazarus", "linux", "simplextea", "windows", "badcall", "simplesea", "odicloader", "simplextea linux", "linux dreamjob", "macos", "simplesea macos", "iconicloader", "virustotal", "eset research", "march", "figure", "iconicstealer", "february", "april", "first", "august", "updateagent", "malware", "open", "podcast" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Argentina", "Brazil" ], "malware_families": [ { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "SIMPLESEA macOS", "display_name": "SIMPLESEA macOS", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Linux DreamJob", "display_name": "Linux DreamJob", "target": null }, { "id": "SimplexTea Linux", "display_name": "SimplexTea Linux", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "SIMPLESEA", "display_name": "SIMPLESEA", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [ "Military", "Cryptocurrency", "Hospitality", "Healthcare", "Defense", "Aerospace" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 4, "FileHash-MD5": 11, "FileHash-SHA1": 14, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 166, "modified_text": "1137 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://journalide.org/djour.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://journalide.org/djour.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780283885.0477242 }