{ "type": "URL", "indicator": "https://mensualgeneratr.com/descargas/s.microsoft.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mensualgeneratr.com/descargas/s.microsoft.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4370101334, "indicator": "https://mensualgeneratr.com/descargas/s.microsoft.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09733707b26014374f6213", "name": "Wacatac targeting Mexico \u2014 Multi-stage phishing: SAT PDF lure \u2192 reflected XSS on participa.jalisco.gob.mx \u2192 JS dropper \u2192 PowerShell \u2192 PE infostealer with RunOnce persistence", "description": "Multi-stage Wacatac (Wacatac.B9nj) campaign targeting Mexico via SAT PDF lures. Active since Mar 2026, infrastructure since Sep 2023.\n\nCHAIN: Email > PDF /Link > XSS jalisco.gob.mx > JS dropper (mensualgeneratr.com/up.js) > FAC-*.pdf.js (double-ext) > PowerShell > PE infostealer+bootkit > C2 dlxfreights.site/mx/bmxp/tele.php\n\nINFRA: 51 subdomains on dlxfreights.site > 64.95.13.65 (BL Networks AS399629, bulletproof). Enterprise phishing: okta.e, m365.e, sso.e. Panel: admin.e, graph.e, billing.e. 42 subdomains created 2026-02-03 (single day setup).\n\nOPERATOR: punk1mm085@gmail.com. Linked to Jul 2024 banking phishing (Banamex, Citi, BBVA). Namecheap + Cloudflare + BL Networks = consistent pattern.\n\nSANDBOX: raw_disk_access, physical_drive_access (bootkit), ntdll anti-EDR, APC injection, infostealer_cookies.\n\nATT&CK: T1566.001/.002, T1189, T1059.001/.007, T1027.002, T1036.007, T1562.001, T1055.004, T1082, T1539, T1547.001, T1105, T1071.001, T1041\n\nTLP:WHITE - IOCs freely shareable.", "modified": "2026-05-20T18:46:57.543000", "created": "2026-05-17T07:50:12.141000", "tags": [ "phishing", "mexico", "wacatac", "trojan", "infostealer", "dropper", "pdf-lure", "reflected-xss", "pdf-lib", "mensualgeneratr", "dlxfreights", "SAT", "comprobante-pago", "factura", "jalisco-xss", "geo-fenced", "government-site-abuse", "mexican-tax-authority", "wscript", "powershell", "javascript-dropper", "multi-stage", "namecheap-abuse", "cloudflare-abuse", "runonce-persistence", "double-extension", "pe-disguised-as-pdf", "ms-impersonation", "c2-subdomain-architecture" ], "references": [], "public": 1, "adversary": "Unknown", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Wacatac", "display_name": "Wacatac", "target": null } ], "attack_ids": [], "industries": [ "Government", "Financial Services", "Logistics", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vitamen007", "id": "127898", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 37, "URL": 6, "IPv4": 1, "FileHash-SHA256": 2, "FileHash-SHA1": 2, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Unknown", "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager" ], "malware_families": [ "Wacatac" ], "industries": [ "Logistics", "Government", "Financial services", "Manufacturing" ], "unique_indicators": 1024 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mensualgeneratr.com", "whois": "http://whois.domaintools.com/mensualgeneratr.com", "domain": "mensualgeneratr.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09733707b26014374f6213", "name": "Wacatac targeting Mexico \u2014 Multi-stage phishing: SAT PDF lure \u2192 reflected XSS on participa.jalisco.gob.mx \u2192 JS dropper \u2192 PowerShell \u2192 PE infostealer with RunOnce persistence", "description": "Multi-stage Wacatac (Wacatac.B9nj) campaign targeting Mexico via SAT PDF lures. Active since Mar 2026, infrastructure since Sep 2023.\n\nCHAIN: Email > PDF /Link > XSS jalisco.gob.mx > JS dropper (mensualgeneratr.com/up.js) > FAC-*.pdf.js (double-ext) > PowerShell > PE infostealer+bootkit > C2 dlxfreights.site/mx/bmxp/tele.php\n\nINFRA: 51 subdomains on dlxfreights.site > 64.95.13.65 (BL Networks AS399629, bulletproof). Enterprise phishing: okta.e, m365.e, sso.e. Panel: admin.e, graph.e, billing.e. 42 subdomains created 2026-02-03 (single day setup).\n\nOPERATOR: punk1mm085@gmail.com. Linked to Jul 2024 banking phishing (Banamex, Citi, BBVA). Namecheap + Cloudflare + BL Networks = consistent pattern.\n\nSANDBOX: raw_disk_access, physical_drive_access (bootkit), ntdll anti-EDR, APC injection, infostealer_cookies.\n\nATT&CK: T1566.001/.002, T1189, T1059.001/.007, T1027.002, T1036.007, T1562.001, T1055.004, T1082, T1539, T1547.001, T1105, T1071.001, T1041\n\nTLP:WHITE - IOCs freely shareable.", "modified": "2026-05-20T18:46:57.543000", "created": "2026-05-17T07:50:12.141000", "tags": [ "phishing", "mexico", "wacatac", "trojan", "infostealer", "dropper", "pdf-lure", "reflected-xss", "pdf-lib", "mensualgeneratr", "dlxfreights", "SAT", "comprobante-pago", "factura", "jalisco-xss", "geo-fenced", "government-site-abuse", "mexican-tax-authority", "wscript", "powershell", "javascript-dropper", "multi-stage", "namecheap-abuse", "cloudflare-abuse", "runonce-persistence", "double-extension", "pe-disguised-as-pdf", "ms-impersonation", "c2-subdomain-architecture" ], "references": [], "public": 1, "adversary": "Unknown", "targeted_countries": [ "Mexico" ], "malware_families": [ { "id": "Wacatac", "display_name": "Wacatac", "target": null } ], "attack_ids": [], "industries": [ "Government", "Financial Services", "Logistics", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vitamen007", "id": "127898", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 37, "URL": 6, "IPv4": 1, "FileHash-SHA256": 2, "FileHash-SHA1": 2, "FileHash-MD5": 2, "email": 1 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mensualgeneratr.com/descargas/s.microsoft.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mensualgeneratr.com/descargas/s.microsoft.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780249579.684292 }