{ "type": "URL", "indicator": "https://manzisuape.com/ao/190.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://manzisuape.com/ao/190.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4097912366, "indicator": "https://manzisuape.com/ao/190.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68a7465fd6fcc8556c5059d2", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC", "description": "A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates include improved geofencing, more potent secondary infections, and enhanced credential stealing capabilities. The AllaKore payload has been heavily modified to enable theft of banking credentials and authentication information. The group has shown consistent development of their tactics and techniques over time, demonstrating persistence and some level of operational success. Despite their longevity, they are not considered highly advanced, focusing primarily on financial fraud against Mexican entities across various industries.", "modified": "2025-08-21T19:53:50.031000", "created": "2025-08-21T16:16:31.517000", "tags": [ "credential theft", "spear-phishing", "drive-by download", "financial fraud", "allakore rat", "systembc", "geofencing", "mexico" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc" ], "public": 1, "adversary": "Greedy Sponge", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AllaKore RAT", "display_name": "AllaKore RAT", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1218.003", "name": "CMSTP", "display_name": "T1218.003 - CMSTP" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [ "Retail", "Agriculture", "Government", "Entertainment", "Manufacturing", "Transportation", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 34, "FileHash-SHA1": 35, "FileHash-SHA256": 41, "URL": 4, "domain": 23 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a7e011cdda1f353cfe7b98", "name": "IOC - Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC", "description": "", "modified": "2025-08-22T03:12:17.607000", "created": "2025-08-22T03:12:17.607000", "tags": [ "credential theft", "spear-phishing", "drive-by download", "financial fraud", "allakore rat", "systembc", "geofencing", "mexico" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc" ], "public": 1, "adversary": "Greedy Sponge", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AllaKore RAT", "display_name": "AllaKore RAT", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1218.003", "name": "CMSTP", "display_name": "T1218.003 - CMSTP" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [ "Retail", "Agriculture", "Government", "Entertainment", "Manufacturing", "Transportation", "Finance" ], "TLP": "white", "cloned_from": "68a7465fd6fcc8556c5059d2", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 34, "FileHash-SHA1": 35, "FileHash-SHA256": 41, "URL": 4, "domain": 23 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f6efcab902a0a0cd1a7fd", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC - Arctic Wolf", "description": "", "modified": "2025-08-21T10:05:01.053000", "created": "2025-07-22T10:59:08.376000", "tags": [ "greedy sponge", "allakore rat", "arctic wolf", "mexico", "allakore c2", "systembc", "allakore", "defense evasion", "labs", "chrome", "wolf", "spongebob", "install", "delphi", "cylance", "february", "installer", "powershell", "execution" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 12, "FileHash-SHA256": 42, "URL": 6, "YARA": 2, "domain": 23 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d0e99ff0c7d2788ae55ec", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC.", "description": "Arctic Wolf Labs has identified a financially motivated threat group dubbed Greedy Sponge, which has been active since early 2021, primarily targeting Mexican organizations. This group employs modified versions of the AllaKore RAT and SystemBC malware, focusing on financial fraud. The AllaKore RAT has been significantly altered to capture banking credentials and unique authentication data, enabling the attackers to exfiltrate sensitive information to their command-and-control (C2) server. The recent campaigns include deploying custom installers that contain the modified RAT and utilizing SystemBC as a secondary tool for further exploitation. Greedy Sponge's operational tactics have evolved, particularly since mid-2024, with enhancements in geofencing methods that restrict their activities to the Mexican region. Previously, geofencing checks were performed at the initial stage using a .NET downloader, but these checks have now been moved server-side to complicate detection efforts.", "modified": "2025-08-19T15:00:27.487000", "created": "2025-07-20T15:43:21.555000", "tags": [ "greedy sponge", "allakore rat", "arctic wolf", "mexico", "allakore c2", "systembc", "allakore", "defense evasion", "labs", "chrome", "wolf", "spongebob", "install", "delphi", "cylance", "february", "installer", "powershell", "execution" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 12, "FileHash-SHA256": 42, "URL": 6, "YARA": 2, "domain": 23 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/", "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc" ], "related": { "alienvault": { "adversary": [ "Greedy Sponge" ], "malware_families": [ "Systembc", "Allakore rat" ], "industries": [ "Manufacturing", "Agriculture", "Retail", "Government", "Transportation", "Entertainment", "Finance" ], "unique_indicators": 139 }, "other": { "adversary": [ "Greedy Sponge" ], "malware_families": [ "Systembc", "Allakore rat" ], "industries": [ "Manufacturing", "Agriculture", "Retail", "Government", "Transportation", "Entertainment", "Finance" ], "unique_indicators": 149 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/manzisuape.com", "whois": "http://whois.domaintools.com/manzisuape.com", "domain": "manzisuape.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68a7465fd6fcc8556c5059d2", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC", "description": "A financially motivated threat group dubbed Greedy Sponge has been targeting Mexican organizations since 2021 with a modified version of AllaKore RAT and SystemBC malware. The group uses spear-phishing and drive-by downloads to deliver custom packaged installers containing the RAT. Recent updates include improved geofencing, more potent secondary infections, and enhanced credential stealing capabilities. The AllaKore payload has been heavily modified to enable theft of banking credentials and authentication information. The group has shown consistent development of their tactics and techniques over time, demonstrating persistence and some level of operational success. Despite their longevity, they are not considered highly advanced, focusing primarily on financial fraud against Mexican entities across various industries.", "modified": "2025-08-21T19:53:50.031000", "created": "2025-08-21T16:16:31.517000", "tags": [ "credential theft", "spear-phishing", "drive-by download", "financial fraud", "allakore rat", "systembc", "geofencing", "mexico" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc" ], "public": 1, "adversary": "Greedy Sponge", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AllaKore RAT", "display_name": "AllaKore RAT", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1218.003", "name": "CMSTP", "display_name": "T1218.003 - CMSTP" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [ "Retail", "Agriculture", "Government", "Entertainment", "Manufacturing", "Transportation", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 34, "FileHash-SHA1": 35, "FileHash-SHA256": 41, "URL": 4, "domain": 23 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a7e011cdda1f353cfe7b98", "name": "IOC - Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC", "description": "", "modified": "2025-08-22T03:12:17.607000", "created": "2025-08-22T03:12:17.607000", "tags": [ "credential theft", "spear-phishing", "drive-by download", "financial fraud", "allakore rat", "systembc", "geofencing", "mexico" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc" ], "public": 1, "adversary": "Greedy Sponge", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "AllaKore RAT", "display_name": "AllaKore RAT", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1218.003", "name": "CMSTP", "display_name": "T1218.003 - CMSTP" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [ "Retail", "Agriculture", "Government", "Entertainment", "Manufacturing", "Transportation", "Finance" ], "TLP": "white", "cloned_from": "68a7465fd6fcc8556c5059d2", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 34, "FileHash-SHA1": 35, "FileHash-SHA256": 41, "URL": 4, "domain": 23 }, "indicator_count": 139, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "282 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f6efcab902a0a0cd1a7fd", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC - Arctic Wolf", "description": "", "modified": "2025-08-21T10:05:01.053000", "created": "2025-07-22T10:59:08.376000", "tags": [ "greedy sponge", "allakore rat", "arctic wolf", "mexico", "allakore c2", "systembc", "allakore", "defense evasion", "labs", "chrome", "wolf", "spongebob", "install", "delphi", "cylance", "february", "installer", "powershell", "execution" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 12, "FileHash-SHA256": 42, "URL": 6, "YARA": 2, "domain": 23 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d0e99ff0c7d2788ae55ec", "name": "Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC.", "description": "Arctic Wolf Labs has identified a financially motivated threat group dubbed Greedy Sponge, which has been active since early 2021, primarily targeting Mexican organizations. This group employs modified versions of the AllaKore RAT and SystemBC malware, focusing on financial fraud. The AllaKore RAT has been significantly altered to capture banking credentials and unique authentication data, enabling the attackers to exfiltrate sensitive information to their command-and-control (C2) server. The recent campaigns include deploying custom installers that contain the modified RAT and utilizing SystemBC as a secondary tool for further exploitation. Greedy Sponge's operational tactics have evolved, particularly since mid-2024, with enhancements in geofencing methods that restrict their activities to the Mexican region. Previously, geofencing checks were performed at the initial stage using a .NET downloader, but these checks have now been moved server-side to complicate detection efforts.", "modified": "2025-08-19T15:00:27.487000", "created": "2025-07-20T15:43:21.555000", "tags": [ "greedy sponge", "allakore rat", "arctic wolf", "mexico", "allakore c2", "systembc", "allakore", "defense evasion", "labs", "chrome", "wolf", "spongebob", "install", "delphi", "cylance", "february", "installer", "powershell", "execution" ], "references": [ "https://arcticwolf.com/resources/blog/greedy-sponge-targets-mexico-with-allakore-rat-and-systembc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 12, "FileHash-SHA256": 42, "URL": 6, "YARA": 2, "domain": 23 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://manzisuape.com/ao/190.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://manzisuape.com/ao/190.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780214858.8009944 }