{ "type": "URL", "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4141428521, "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68f9e25d901d09154f09b282", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "The Bitter group, also known as APT-Q-37, has been detected using new attack techniques to deliver a C# backdoor. Two attack chains were identified: one using VBA macros in xlam files to compile and install the backdoor, and another exploiting a WinRAR vulnerability to plant malicious macros. The backdoor communicates with C2 servers, collects device information, and can download and execute arbitrary EXE files. The group, believed to have South Asian origins, targets government, electric power, and military industries in China, Pakistan, and other countries. The attacks demonstrate the group's evolving tactics and expansion of their arsenal, although some methods require specific victim environments to succeed.", "modified": "2025-10-23T08:10:10.518000", "created": "2025-10-23T08:07:57.672000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "HAZY TIGER", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386767, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbe018d262c706aa5aaefe", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "Bitter, also known as APT-Q-37, is a threat actor group believed to have South Asian origins, primarily targeting government, military, and electric power sectors in China, Pakistan, and other nations. Their objective revolves around the acquisition of sensitive data. Recently, the Qi'anxin Threat Intelligence Center uncovered attack samples linked to Bitter that utilize varied methods to deploy a C# backdoor capable of receiving arbitrary executable files from a remote server.", "modified": "2025-10-24T20:22:48.082000", "created": "2025-10-24T20:22:48.082000", "tags": [ "qianxin threat", "bitter group", "bitter", "attack chain", "xlam file", "august", "winrar version", "user", "word", "exe file", "winrar", "desktop", "april", "android" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/" ], "public": 1, "adversary": "Bitter", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 11, "domain": 4, "hostname": 3 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb340ac7cfc56d32a43c83", "name": "IOC - Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T08:08:42.976000", "created": "2025-10-24T08:08:42.976000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb07ff7cc6a508157c7c9a", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T05:00:47.578000", "created": "2025-10-24T05:00:47.578000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb07fe4098c7224108e476", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T05:00:46.248000", "created": "2025-10-24T05:00:46.248000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5ced92ca085a5bcf6d625", "name": "IOC - \u8513\u7075\u82b1\uff08APT-Q-37\uff09\u4ee5\u591a\u6837\u5316\u624b\u6bb5\u6295\u9012\u65b0\u578b\u540e\u95e8\u7ec4\u4ef6", "description": "\u8513\u7075\u82b1\uff0c\u53c8\u540d Bitter\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-37\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u957f\u671f\u9488\u5bf9\u4e2d\u56fd\u3001\u5df4\u57fa\u65af\u5766\u7b49\u56fd\u5bb6\u8fdb\u884c\u653b\u51fb\u6d3b\u52a8\uff0c\u5b9a\u5411\u653b\u51fb\u7684\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u7535\u529b\u3001\u519b\u5de5\u7b49\u9886\u57df\u7684\u5355\u4f4d\uff0c\u610f\u56fe\u7a83\u53d6\u654f\u611f\u8d44\u6599\u3002", "modified": "2025-10-20T05:55:37.835000", "created": "2025-10-20T05:55:37.835000", "tags": [ "url https" ], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1760939332&ver=6307&signature=XgNomJBFgH1MlkPEnL0IrXVuPltp4Zt5*qMOePZFl0Gl-5mhMnhaiTKD76yb4Y59YMEdhIMjrxaeUvbhJN*l8nfVh-nKyCh23JbsEEcoymFRC8g-2ZIuUSBGyO9nCxPH&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 3, "hostname": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cb6a3e263d4c8991834a", "name": "Manlinghua (APT-Q-37) Diversifies to Deliver New Backdoor Components.", "description": "Manlinghua, identified as APT-Q-37 and also referred to as Bitter, is an advanced persistent threat group believed to have ties to South Asia. This group has a history of conducting targeted cyberattacks primarily against entities in China, Pakistan, and other related regions. The sectors most affected include government institutions, electric power companies, and the military-industrial complex, with the objective of exfiltrating sensitive and confidential information.", "modified": "2025-10-20T05:40:58.249000", "created": "2025-10-20T05:40:58.249000", "tags": [ "winrar", "xlam", "word", "code", "ctf iot", "chamd5", "bitter", "aptq37", "provision", "information", "desktop", "alpha" ], "references": [ "https://www.ctfiot.com/274997.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 3, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en", "https://www.ctfiot.com/274997.html", "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/", "https://mp.weixin.qq.com/s?src=11×tamp=1760939332&ver=6307&signature=XgNomJBFgH1MlkPEnL0IrXVuPltp4Zt5*qMOePZFl0Gl-5mhMnhaiTKD76yb4Y59YMEdhIMjrxaeUvbhJN*l8nfVh-nKyCh23JbsEEcoymFRC8g-2ZIuUSBGyO9nCxPH&new=1", "Oct week.3.pdf" ], "related": { "alienvault": { "adversary": [ "HAZY TIGER" ], "malware_families": [ "C# backdoor" ], "industries": [ "Energy", "Defense", "Government" ], "unique_indicators": 31 }, "other": { "adversary": [ "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "Bitter" ], "malware_families": [ "C# backdoor" ], "industries": [ "Energy", "Defense", "Government" ], "unique_indicators": 784 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/esanojinjasvc.com", "whois": "http://whois.domaintools.com/esanojinjasvc.com", "domain": "esanojinjasvc.com", "hostname": "msoffice.365cloudz.esanojinjasvc.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68f9e25d901d09154f09b282", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "The Bitter group, also known as APT-Q-37, has been detected using new attack techniques to deliver a C# backdoor. Two attack chains were identified: one using VBA macros in xlam files to compile and install the backdoor, and another exploiting a WinRAR vulnerability to plant malicious macros. The backdoor communicates with C2 servers, collects device information, and can download and execute arbitrary EXE files. The group, believed to have South Asian origins, targets government, electric power, and military industries in China, Pakistan, and other countries. The attacks demonstrate the group's evolving tactics and expansion of their arsenal, although some methods require specific victim environments to succeed.", "modified": "2025-10-23T08:10:10.518000", "created": "2025-10-23T08:07:57.672000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "HAZY TIGER", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 386767, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fbe018d262c706aa5aaefe", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "Bitter, also known as APT-Q-37, is a threat actor group believed to have South Asian origins, primarily targeting government, military, and electric power sectors in China, Pakistan, and other nations. Their objective revolves around the acquisition of sensitive data. Recently, the Qi'anxin Threat Intelligence Center uncovered attack samples linked to Bitter that utilize varied methods to deploy a C# backdoor capable of receiving arbitrary executable files from a remote server.", "modified": "2025-10-24T20:22:48.082000", "created": "2025-10-24T20:22:48.082000", "tags": [ "qianxin threat", "bitter group", "bitter", "attack chain", "xlam file", "august", "winrar version", "user", "word", "exe file", "winrar", "desktop", "april", "android" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/" ], "public": 1, "adversary": "Bitter", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 11, "domain": 4, "hostname": 3 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb340ac7cfc56d32a43c83", "name": "IOC - Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T08:08:42.976000", "created": "2025-10-24T08:08:42.976000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb07ff7cc6a508157c7c9a", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T05:00:47.578000", "created": "2025-10-24T05:00:47.578000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68fb07fe4098c7224108e476", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "", "modified": "2025-10-24T05:00:46.248000", "created": "2025-10-24T05:00:46.248000", "tags": [ "winrar vulnerability", "apt-q-37" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en" ], "public": 1, "adversary": "Bitter", "targeted_countries": [ "China", "Pakistan" ], "malware_families": [ { "id": "C# backdoor", "display_name": "C# backdoor", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Energy", "Defense" ], "TLP": "white", "cloned_from": "68f9e25d901d09154f09b282", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 7, "domain": 4, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "220 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5ced92ca085a5bcf6d625", "name": "IOC - \u8513\u7075\u82b1\uff08APT-Q-37\uff09\u4ee5\u591a\u6837\u5316\u624b\u6bb5\u6295\u9012\u65b0\u578b\u540e\u95e8\u7ec4\u4ef6", "description": "\u8513\u7075\u82b1\uff0c\u53c8\u540d Bitter\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-37\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u957f\u671f\u9488\u5bf9\u4e2d\u56fd\u3001\u5df4\u57fa\u65af\u5766\u7b49\u56fd\u5bb6\u8fdb\u884c\u653b\u51fb\u6d3b\u52a8\uff0c\u5b9a\u5411\u653b\u51fb\u7684\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u7535\u529b\u3001\u519b\u5de5\u7b49\u9886\u57df\u7684\u5355\u4f4d\uff0c\u610f\u56fe\u7a83\u53d6\u654f\u611f\u8d44\u6599\u3002", "modified": "2025-10-20T05:55:37.835000", "created": "2025-10-20T05:55:37.835000", "tags": [ "url https" ], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1760939332&ver=6307&signature=XgNomJBFgH1MlkPEnL0IrXVuPltp4Zt5*qMOePZFl0Gl-5mhMnhaiTKD76yb4Y59YMEdhIMjrxaeUvbhJN*l8nfVh-nKyCh23JbsEEcoymFRC8g-2ZIuUSBGyO9nCxPH&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 6, "domain": 3, "hostname": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f5cb6a3e263d4c8991834a", "name": "Manlinghua (APT-Q-37) Diversifies to Deliver New Backdoor Components.", "description": "Manlinghua, identified as APT-Q-37 and also referred to as Bitter, is an advanced persistent threat group believed to have ties to South Asia. This group has a history of conducting targeted cyberattacks primarily against entities in China, Pakistan, and other related regions. The sectors most affected include government institutions, electric power companies, and the military-industrial complex, with the objective of exfiltrating sensitive and confidential information.", "modified": "2025-10-20T05:40:58.249000", "created": "2025-10-20T05:40:58.249000", "tags": [ "winrar", "xlam", "word", "code", "ctf iot", "chamd5", "bitter", "aptq37", "provision", "information", "desktop", "alpha" ], "references": [ "https://www.ctfiot.com/274997.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 3, "hostname": 4 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780353994.430576 }