{ "type": "URL", "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4141790882, "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "68fbe018d262c706aa5aaefe", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "Bitter, also known as APT-Q-37, is a threat actor group believed to have South Asian origins, primarily targeting government, military, and electric power sectors in China, Pakistan, and other nations. Their objective revolves around the acquisition of sensitive data. Recently, the Qi'anxin Threat Intelligence Center uncovered attack samples linked to Bitter that utilize varied methods to deploy a C# backdoor capable of receiving arbitrary executable files from a remote server.", "modified": "2025-10-24T20:22:48.082000", "created": "2025-10-24T20:22:48.082000", "tags": [ "qianxin threat", "bitter group", "bitter", "attack chain", "xlam file", "august", "winrar version", "user", "word", "exe file", "winrar", "desktop", "april", "android" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/" ], "public": 1, "adversary": "Bitter", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 11, "domain": 4, "hostname": 3 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Bitter" ], "malware_families": [], "industries": [], "unique_indicators": 35 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/esanojinjasvc.com", "whois": "http://whois.domaintools.com/esanojinjasvc.com", "domain": "esanojinjasvc.com", "hostname": "msoffice.365cloudz.esanojinjasvc.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "68fbe018d262c706aa5aaefe", "name": "Bitter (APT-Q-37) uses diverse means to deliver new backdoor components", "description": "Bitter, also known as APT-Q-37, is a threat actor group believed to have South Asian origins, primarily targeting government, military, and electric power sectors in China, Pakistan, and other nations. Their objective revolves around the acquisition of sensitive data. Recently, the Qi'anxin Threat Intelligence Center uncovered attack samples linked to Bitter that utilize varied methods to deploy a C# backdoor capable of receiving arbitrary executable files from a remote server.", "modified": "2025-10-24T20:22:48.082000", "created": "2025-10-24T20:22:48.082000", "tags": [ "qianxin threat", "bitter group", "bitter", "attack chain", "xlam file", "august", "winrar version", "user", "word", "exe file", "winrar", "desktop", "april", "android" ], "references": [ "https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/" ], "public": 1, "adversary": "Bitter", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 11, "domain": 4, "hostname": 3 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "221 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780463338.7106543 }