{ "type": "URL", "indicator": "https://more-arpc.icu", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://more-arpc.icu", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4271644409, "indicator": "https://more-arpc.icu", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69baa7b58b52ce8d9c292a05", "name": "HellsUchecker: ClickFix to blockchain-backed backdoor", "description": "HellsUchecker is a sophisticated native x64 backdoor, measuring 28 KB, known for its complex 10-stage attack chain that begins with a deceptive ClickFix lure, resembling a Cloudflare CAPTCHA, and culminates in a memory-resident payload that communicates with its command and control (C2) server over HTTPS.\n\nThe initial stage directs victims to a phishing page, http://h01-captcha.sbs, which replicates a legitimate CAPTCHA interface. Upon interaction, it prompts users to execute a malicious command line, facilitated by a clipboard payload that runs the legitimate Windows utility \"finger.exe\" on port 79. This utility fetches malicious commands hidden in a crafted .plan file from a malicious server. The payload then employs a series of instructions to disable the desktop's explorer.exe, download a legitimate Python embed package disguised as a PDF, and execute a secondary payload via a base64-encoded script.", "modified": "2026-04-17T13:02:58.639000", "created": "2026-03-18T13:25:09.956000", "tags": [ "backdoor", "blockchain", "etherhiding", "malware", "reverseengineering", "clickfix", "apis", "msbuild", "domain group", "peb walk", "python", "winhttp", "pe loader", "c2 server", "hell", "smart contract", "gate", "avalanche", "february", "august", "virustotal", "sandbox", "ukraine", "belarus", "armenia", "syscall", "cleanup", "shellcode", "date", "apache", "hosts", "global domain", "amos", "nist", "webcache", "odyssey", "kaspersky", "keccak256", "ethereum", "hellsuchecker", "eazfuscator" ], "references": [ "https://www.derp.ca/research/hellsuchecker-clickfix-etherhiding/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HellsUchecker", "display_name": "HellsUchecker", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA256": 5, "URL": 7, "domain": 8, "email": 1, "hostname": 11 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.derp.ca/research/hellsuchecker-clickfix-etherhiding/", "IOCs.2026.4.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [ "Hellsuchecker" ], "industries": [], "unique_indicators": 798 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/more-arpc.icu", "whois": "http://whois.domaintools.com/more-arpc.icu", "domain": "more-arpc.icu", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69baa7b58b52ce8d9c292a05", "name": "HellsUchecker: ClickFix to blockchain-backed backdoor", "description": "HellsUchecker is a sophisticated native x64 backdoor, measuring 28 KB, known for its complex 10-stage attack chain that begins with a deceptive ClickFix lure, resembling a Cloudflare CAPTCHA, and culminates in a memory-resident payload that communicates with its command and control (C2) server over HTTPS.\n\nThe initial stage directs victims to a phishing page, http://h01-captcha.sbs, which replicates a legitimate CAPTCHA interface. Upon interaction, it prompts users to execute a malicious command line, facilitated by a clipboard payload that runs the legitimate Windows utility \"finger.exe\" on port 79. This utility fetches malicious commands hidden in a crafted .plan file from a malicious server. The payload then employs a series of instructions to disable the desktop's explorer.exe, download a legitimate Python embed package disguised as a PDF, and execute a secondary payload via a base64-encoded script.", "modified": "2026-04-17T13:02:58.639000", "created": "2026-03-18T13:25:09.956000", "tags": [ "backdoor", "blockchain", "etherhiding", "malware", "reverseengineering", "clickfix", "apis", "msbuild", "domain group", "peb walk", "python", "winhttp", "pe loader", "c2 server", "hell", "smart contract", "gate", "avalanche", "february", "august", "virustotal", "sandbox", "ukraine", "belarus", "armenia", "syscall", "cleanup", "shellcode", "date", "apache", "hosts", "global domain", "amos", "nist", "webcache", "odyssey", "kaspersky", "keccak256", "ethereum", "hellsuchecker", "eazfuscator" ], "references": [ "https://www.derp.ca/research/hellsuchecker-clickfix-etherhiding/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "HellsUchecker", "display_name": "HellsUchecker", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA256": 5, "URL": 7, "domain": 8, "email": 1, "hostname": 11 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://more-arpc.icu", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://more-arpc.icu", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780225123.895539 }