{ "type": "URL", "indicator": "https://marketplace24ei.ru/790628.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://marketplace24ei.ru/790628.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4122716358, "indicator": "https://marketplace24ei.ru/790628.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68addd58d3bae863fdf8d5ae", "name": "Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA", "description": "In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign delivered the Rhadamanthys Stealer using PNG steganography, indicating increased sophistication in payload delivery. Salty2FA, a new Phishing-as-a-Service framework attributed to Storm-1575, was discovered targeting Microsoft 365 accounts globally, capable of bypassing various 2FA methods. These attacks demonstrate the evolution of phishing kits and stealers, emphasizing the need for behavioral analysis and real-time threat intelligence in cybersecurity defenses.", "modified": "2025-09-29T07:48:12.468000", "created": "2025-08-26T16:14:13.454000", "tags": [ "rhadamanthys stealer", "phishing", "tycoon2fa", "salty2fa", "clickfix" ], "references": [ "https://any.run/cybersecurity-blog/cyber-attacks-august-2025" ], "public": 1, "adversary": "Storm-1575", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Tycoon2FA", "display_name": "Tycoon2FA", "target": null }, { "id": "Rhadamanthys Stealer", "display_name": "Rhadamanthys Stealer", "target": null }, { "id": "Salty2FA", "display_name": "Salty2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense", "Finance", "Energy", "Manufacturing", "Healthcare", "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 2, "URL": 5 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b12ad3b4c03bf48aa31bba", "name": "Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA", "description": "", "modified": "2025-09-27T18:07:05.748000", "created": "2025-08-29T04:21:39.146000", "tags": [ "rhadamanthys stealer", "phishing", "tycoon2fa", "salty2fa", "clickfix" ], "references": [ "https://any.run/cybersecurity-blog/cyber-attacks-august-2025" ], "public": 1, "adversary": "Storm-1575", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Tycoon2FA", "display_name": "Tycoon2FA", "target": null }, { "id": "Rhadamanthys Stealer", "display_name": "Rhadamanthys Stealer", "target": null }, { "id": "Salty2FA", "display_name": "Salty2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense", "Finance", "Energy", "Manufacturing", "Healthcare", "Telecommunications", "Education" ], "TLP": "white", "cloned_from": "68addd58d3bae863fdf8d5ae", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 2, "URL": 5 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://any.run/cybersecurity-blog/cyber-attacks-august-2025" ], "related": { "alienvault": { "adversary": [ "Storm-1575" ], "malware_families": [ "Tycoon2fa", "Rhadamanthys stealer", "Salty2fa" ], "industries": [ "Energy", "Telecommunications", "Government", "Education", "Healthcare", "Finance", "Manufacturing", "Defense" ], "unique_indicators": 26 }, "other": { "adversary": [ "Storm-1575" ], "malware_families": [ "Tycoon2fa", "Rhadamanthys stealer", "Salty2fa" ], "industries": [ "Energy", "Telecommunications", "Government", "Education", "Healthcare", "Finance", "Manufacturing", "Defense" ], "unique_indicators": 1137 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/marketplace24ei.ru", "whois": "http://whois.domaintools.com/marketplace24ei.ru", "domain": "marketplace24ei.ru", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68addd58d3bae863fdf8d5ae", "name": "Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA", "description": "In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign delivered the Rhadamanthys Stealer using PNG steganography, indicating increased sophistication in payload delivery. Salty2FA, a new Phishing-as-a-Service framework attributed to Storm-1575, was discovered targeting Microsoft 365 accounts globally, capable of bypassing various 2FA methods. These attacks demonstrate the evolution of phishing kits and stealers, emphasizing the need for behavioral analysis and real-time threat intelligence in cybersecurity defenses.", "modified": "2025-09-29T07:48:12.468000", "created": "2025-08-26T16:14:13.454000", "tags": [ "rhadamanthys stealer", "phishing", "tycoon2fa", "salty2fa", "clickfix" ], "references": [ "https://any.run/cybersecurity-blog/cyber-attacks-august-2025" ], "public": 1, "adversary": "Storm-1575", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Tycoon2FA", "display_name": "Tycoon2FA", "target": null }, { "id": "Rhadamanthys Stealer", "display_name": "Rhadamanthys Stealer", "target": null }, { "id": "Salty2FA", "display_name": "Salty2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense", "Finance", "Energy", "Manufacturing", "Healthcare", "Telecommunications", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 2, "URL": 5 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 386597, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b12ad3b4c03bf48aa31bba", "name": "Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA", "description": "", "modified": "2025-09-27T18:07:05.748000", "created": "2025-08-29T04:21:39.146000", "tags": [ "rhadamanthys stealer", "phishing", "tycoon2fa", "salty2fa", "clickfix" ], "references": [ "https://any.run/cybersecurity-blog/cyber-attacks-august-2025" ], "public": 1, "adversary": "Storm-1575", "targeted_countries": [ "United States of America", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Tycoon2FA", "display_name": "Tycoon2FA", "target": null }, { "id": "Rhadamanthys Stealer", "display_name": "Rhadamanthys Stealer", "target": null }, { "id": "Salty2FA", "display_name": "Salty2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense", "Finance", "Energy", "Manufacturing", "Healthcare", "Telecommunications", "Education" ], "TLP": "white", "cloned_from": "68addd58d3bae863fdf8d5ae", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 17, "hostname": 2, "URL": 5 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://marketplace24ei.ru/790628.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://marketplace24ei.ru/790628.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780276557.2848465 }