{ "type": "URL", "indicator": "https://kidsprotect.live/upload_screenshot.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://kidsprotect.live/upload_screenshot.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4343984970, "indicator": "https://kidsprotect.live/upload_screenshot.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs-May1.csv", "The software is sold on a subscription basis starting from $60.", "Android Permissions Below:", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "Additional research by Q.Vashti", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "com.example.parentguard", "The app\u2019s package name \u2014 com.example.parentguard", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [ "Alf:androidossuspiciousperms.a", "Remote access" ], "industries": [], "unique_indicators": 860 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kidsprotect.live", "whois": "http://whois.domaintools.com/kidsprotect.live", "domain": "kidsprotect.live", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f99f0b14707306f5cb7a96", "name": "KidsProtect - A Near-Total Surveillance Toolkit", "description": "Stalkerware developers are facing increasing legal pressure, with several high-profile platforms shut down by court order in recent years.\n\nCerto has discovered a new Android surveillance tool being openly advertised on the clear web that gives an operator near-total secret control of a victim\u2019s phone. It can\u2019t be removed without the attacker\u2019s permission. And for a fee, anyone can buy it, brand it, and start selling it as their own.\n\nThe tool, branded KidsProtect, is an Android Remote Access Trojan (RAT) that, once installed on a target device, operates entirely in the background without the owner\u2019s knowledge.\nFrom a web-based dashboard, an operator can secretly record calls, stream live audio from the device\u2019s microphone, track GPS location in real time, read SMS messages and notifications from apps including WhatsApp and Viber, log keystrokes, access contacts and photos, and remotely trigger the front and rear cameras.", "modified": "2026-05-05T07:40:59.536000", "created": "2026-05-05T07:40:59.536000", "tags": [ "capture", "kidsprotect", "android", "certo", "gps location", "whatsapp", "viber", "wifiservice", "protect", "remote access", "trojan", "parental", "stealth", "stream", "telegram", "service installer", "classes2.dex", "dalvik dex", "android", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "open th", "virustotal api", "comments", "iocs", "data upload", "extraction", "se boypes" ], "references": [ "The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Article By Sophia Taylor a Senior Cybersecurity Writer at Certo", "https://www.certosoftware.com/insights/the-new-hacking-tool-that-lets-anyone-launch-their-own-spyware-company/", "Android Permissions Below:", "ACCESS_BACKGROUND_LOCATION, RECORD_AUDIO, CAMERA,", "PROCESS_OUTGOING_CALLS, READ_CONTACTS, PACKAGE_USAGE_STATS,", "MANAGE_EXTERNAL_STORAGE READ_SMS, READ_CALL_LOG,", "The app\u2019s package name \u2014 com.example.parentguard", "App requests SYSTEM_ALERT_WINDOW and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions", "A BootReceiver component ensures the spyware restarts automatically every time the device is rebooted.", "com.example.parentguard", "The software is sold on a subscription basis starting from $60.", "Sophia Taylor a Senior Cybersecurity Writer at Certo, digital security, privacy, and emerging threats expert .", "Additional research by Q.Vashti" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "ALF:AndroidOSSuspiciousPerms.A", "display_name": "ALF:AndroidOSSuspiciousPerms.A", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 49, "domain": 3, "hostname": 5, "email": 1 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://kidsprotect.live/upload_screenshot.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://kidsprotect.live/upload_screenshot.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780176046.8983812 }