{ "type": "URL", "indicator": "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3928458155, "indicator": "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "66a9093cc37e48ed693820e8", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and maritime facilities in the Indian Ocean and Mediterranean Sea regions through espionage and intelligence gathering activities. The attack chain involves exploiting vulnerabilities in Microsoft Office and downloading malicious JavaScript payloads from the group's infrastructure. SideWinder continuously evolves its tactics, making it an ongoing threat.", "modified": "2024-08-29T15:01:08.353000", "created": "2024-07-30T15:39:40.941000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 248, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386606, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6788c5dbca349ef48a63c3af", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2025-01-16T08:39:55.556000", "created": "2025-01-16T08:39:55.556000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1a4815443e2d4c0f3322", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "500 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66aa94b5d10a450efd39788d", "name": "New SideWinder Attacks Target Maritime Facilities", "description": "Hashes (SHA256) - \u00c2\u00a31.5m - are subject to security and privacy concerns, according to the Department of Homeland Security (DHS) and the Office of National Statistics (ONS).", "modified": "2024-08-30T19:04:11.845000", "created": "2024-07-31T19:47:01.362000", "tags": [ "hashes", "sha256", "urls", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 9, "domain": 4, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ab1a4815443e2d4c0f3322", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-29T15:01:08.353000", "created": "2024-08-01T05:16:56.476000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66a9093cc37e48ed693820e8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a8d6a02d0e18be9d911c0b", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "A new campaign by the nation-state threat actor SideWinder is targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean, according to BlackBerry Research and Intelligence. \u00c2\u00a31.", "modified": "2024-08-29T12:02:08.339000", "created": "2024-07-30T12:03:44.193000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Nepal", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Maldives", "Afghanistan", "China" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a36b111ef3f39641ec764f", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-25T09:02:03.829000", "created": "2024-07-26T09:23:29.013000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "644 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/", "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "related": { "alienvault": { "adversary": [ "RAZOR TIGER" ], "malware_families": [], "industries": [], "unique_indicators": 63 }, "other": { "adversary": [ "SideWinder" ], "malware_families": [], "industries": [ "Government", "Military" ], "unique_indicators": 148048 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pdfadobe.com", "whois": "http://whois.domaintools.com/pdfadobe.com", "domain": "pdfadobe.com", "hostname": "mora.pdfadobe.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "66a9093cc37e48ed693820e8", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and maritime facilities in the Indian Ocean and Mediterranean Sea regions through espionage and intelligence gathering activities. The attack chain involves exploiting vulnerabilities in Microsoft Office and downloading malicious JavaScript payloads from the group's infrastructure. SideWinder continuously evolves its tactics, making it an ongoing threat.", "modified": "2024-08-29T15:01:08.353000", "created": "2024-07-30T15:39:40.941000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "RAZOR TIGER", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 248, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386606, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6897447b49f0971e56200788", "name": "SideWinder Updated IoC List", "description": "", "modified": "2025-09-08T12:02:50.283000", "created": "2025-08-09T12:52:11.392000", "tags": [ "h31l0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 122, "FileHash-SHA1": 94, "FileHash-SHA256": 187, "domain": 156, "hostname": 141, "URL": 38 }, "indicator_count": 738, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "265 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6788c5dbca349ef48a63c3af", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2025-01-16T08:39:55.556000", "created": "2025-01-16T08:39:55.556000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66ab1a4815443e2d4c0f3322", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "500 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66aa94b5d10a450efd39788d", "name": "New SideWinder Attacks Target Maritime Facilities", "description": "Hashes (SHA256) - \u00c2\u00a31.5m - are subject to security and privacy concerns, according to the Department of Homeland Security (DHS) and the Office of National Statistics (ONS).", "modified": "2024-08-30T19:04:11.845000", "created": "2024-07-31T19:47:01.362000", "tags": [ "hashes", "sha256", "urls", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 9, "URL": 9, "domain": 4, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ab1a4815443e2d4c0f3322", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-29T15:01:08.353000", "created": "2024-08-01T05:16:56.476000", "tags": [ "javascript", "vulnerability", "targeted", "cve-2017-11882", "maritime", "phishing", "cve-2017-0199", "nation-state", "espionage", "infrastructure" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Nepal", "Maldives" ], "malware_families": [], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66a9093cc37e48ed693820e8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a8d6a02d0e18be9d911c0b", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "A new campaign by the nation-state threat actor SideWinder is targeting ports and maritime facilities in the Mediterranean Sea and Indian Ocean, according to BlackBerry Research and Intelligence. \u00c2\u00a31.", "modified": "2024-08-29T12:02:08.339000", "created": "2024-07-30T12:03:44.193000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Nepal", "Egypt", "Sri Lanka", "Bangladesh", "Myanmar", "Maldives", "Afghanistan", "China" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "640 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a36b111ef3f39641ec764f", "name": "SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea", "description": "", "modified": "2024-08-25T09:02:03.829000", "created": "2024-07-26T09:23:29.013000", "tags": [ "cybersecurity", "sidewinder", "sri lanka", "javascript", "pdns", "stage", "research", "appendix", "cylanceendpoint", "shellcode", "october" ], "references": [ "https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 9, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 9, "YARA": 1, "domain": 4, "hostname": 20 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "644 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mora.pdfadobe.com/d8149d32/mora/doc.rtf", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780284662.4766934 }