{ "type": "URL", "indicator": "https://kefas.id/search/s.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://kefas.id/search/s.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3715670923, "indicator": "https://kefas.id/search/s.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "64c131d13447ec7826c8ac6f", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine.", "modified": "2024-03-06T16:58:35.581000", "created": "2023-07-26T14:46:39.920000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 441, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e30d748895cd7a5746fd20", "name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "modified": "2026-05-18T03:24:08.757000", "created": "2026-04-18T04:49:56.011000", "tags": [ "injection", "removal", "manipulation", "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "orion", "team", "ransomware", "mimikatz", "magicweb", "hijack", "cobalt strike", "trojan", "dropper", "dukes", "malware", "ylarv", "drop", "msdos", "stub", "rareencoding", "memory pattern", "communication", "urls http", "hashes", "client execut", "modify registry", "preos boot", "technir process", "artifacts v", "v help", "rootkit", "os credential", "response", "nxdomain", "name n", "dumping", "sigma", "use short", "name path", "creates", "query firmware", "verdict", "report", "malicious", "defense evasion", "network info", "process", "system", "hostname" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research" ], "public": 1, "adversary": "", "targeted_countries": [ "Norway", "Ukraine", "Poland" ], "malware_families": [ { "id": "Xored", "display_name": "Xored", "target": null }, { "id": "Trojan.Dukes/Xmldrp", "display_name": "Trojan.Dukes/Xmldrp", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 34, "hostname": 97, "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 138, "CVE": 4 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3a1a893a7bd4c7b6411db", "name": "Threatview.io URL Blocklist", "description": "Malicious URL's serving malware, phishing, botnets and C2", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:08:23.903000", "tags": [], "references": [ "https://threatview.io/Downloads/URL-High-Confidence-Feed.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 681, "hostname": 13 }, "indicator_count": 712, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1007 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c36b42cf9b263a855fa5d6", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "", "modified": "2023-07-28T07:16:18.552000", "created": "2023-07-28T07:16:18.552000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "64c3577fadd86819482e0ca7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1037 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3577fadd86819482e0ca7", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "", "modified": "2023-07-28T07:16:03.501000", "created": "2023-07-28T05:51:59.064000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "64c131d13447ec7826c8ac6f", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "1037 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b4e6cf804bf63108eb373b", "name": "New invitation from APT29 to use CCleaner", "description": "", "modified": "2023-07-17T06:59:27.205000", "created": "2023-07-17T06:59:27.205000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "64b4e691e7d6de163f191968", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1048 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b4e691e7d6de163f191968", "name": "New invitation from APT29 to use CCleaner", "description": "", "modified": "2023-07-17T06:58:45.531000", "created": "2023-07-17T06:58:25.891000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "64b0eae267d420abfdb9854e", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1048 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b0eae267d420abfdb9854e", "name": "New invitation from APT29 to use CCleaner", "description": "A report from S2 Grupo Home, a threat intelligence division, highlights new techniques used by cyber-espionage group APT29 to infect computer users and spread their malware on the internet.", "modified": "2023-07-14T06:27:46.217000", "created": "2023-07-14T06:27:46.217000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1051 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "https://lab52.io/blog/2344-2/", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "https://threatview.io/Downloads/URL-High-Confidence-Feed.txt", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 25 }, "other": { "adversary": [], "malware_families": [ "Svg", "Xored", "Trojan.dukes/xmldrp" ], "industries": [], "unique_indicators": 1589 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kefas.id", "whois": "http://whois.domaintools.com/kefas.id", "domain": "kefas.id", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "64c131d13447ec7826c8ac6f", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine.", "modified": "2024-03-06T16:58:35.581000", "created": "2023-07-26T14:46:39.920000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 441, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 386458, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e30d748895cd7a5746fd20", "name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "modified": "2026-05-18T03:24:08.757000", "created": "2026-04-18T04:49:56.011000", "tags": [ "injection", "removal", "manipulation", "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "orion", "team", "ransomware", "mimikatz", "magicweb", "hijack", "cobalt strike", "trojan", "dropper", "dukes", "malware", "ylarv", "drop", "msdos", "stub", "rareencoding", "memory pattern", "communication", "urls http", "hashes", "client execut", "modify registry", "preos boot", "technir process", "artifacts v", "v help", "rootkit", "os credential", "response", "nxdomain", "name n", "dumping", "sigma", "use short", "name path", "creates", "query firmware", "verdict", "report", "malicious", "defense evasion", "network info", "process", "system", "hostname" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research" ], "public": 1, "adversary": "", "targeted_countries": [ "Norway", "Ukraine", "Poland" ], "malware_families": [ { "id": "Xored", "display_name": "Xored", "target": null }, { "id": "Trojan.Dukes/Xmldrp", "display_name": "Trojan.Dukes/Xmldrp", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 34, "hostname": 97, "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 138, "CVE": 4 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3a1a893a7bd4c7b6411db", "name": "Threatview.io URL Blocklist", "description": "Malicious URL's serving malware, phishing, botnets and C2", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:08:23.903000", "tags": [], "references": [ "https://threatview.io/Downloads/URL-High-Confidence-Feed.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 681, "hostname": 13 }, "indicator_count": 712, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1007 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c36b42cf9b263a855fa5d6", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "", "modified": "2023-07-28T07:16:18.552000", "created": "2023-07-28T07:16:18.552000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "64c3577fadd86819482e0ca7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1037 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3577fadd86819482e0ca7", "name": "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered", "description": "", "modified": "2023-07-28T07:16:03.501000", "created": "2023-07-28T05:51:59.064000", "tags": [ "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "cobalt strike", "orion", "team", "mimikatz", "ransomware" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered" ], "public": 1, "adversary": "", "targeted_countries": [ "Poland", "Ukraine", "Norway" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "64c131d13447ec7826c8ac6f", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 11, "URL": 1, "domain": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "1037 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b4e6cf804bf63108eb373b", "name": "New invitation from APT29 to use CCleaner", "description": "", "modified": "2023-07-17T06:59:27.205000", "created": "2023-07-17T06:59:27.205000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "64b4e691e7d6de163f191968", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1048 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b4e691e7d6de163f191968", "name": "New invitation from APT29 to use CCleaner", "description": "", "modified": "2023-07-17T06:58:45.531000", "created": "2023-07-17T06:58:25.891000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": "64b0eae267d420abfdb9854e", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1048 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64b0eae267d420abfdb9854e", "name": "New invitation from APT29 to use CCleaner", "description": "A report from S2 Grupo Home, a threat intelligence division, highlights new techniques used by cyber-espionage group APT29 to infect computer users and spread their malware on the internet.", "modified": "2023-07-14T06:27:46.217000", "created": "2023-07-14T06:27:46.217000", "tags": [ "kkee", "apt29", "username", "computername", "virustotal", "apt29 campaign", "information", "svg dropperdll", "stage0", "svg dropper", "svg" ], "references": [ "https://lab52.io/blog/2344-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SVG", "display_name": "SVG", "target": null } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1051 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://kefas.id/search/s.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://kefas.id/search/s.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180267.9336925 }