{ "type": "URL", "indicator": "https://my5353.com/nWyTf", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://my5353.com/nWyTf", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4072083905, "indicator": "https://my5353.com/nWyTf", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "699733d20abc04f566f5d380", "name": "2025 Cloud Threat Hunting and Defense Landscape", "description": "The report outlines key cloud security threats for 2025, highlighting exploitation of misconfigurations, cloud abuse, ransomware, credential theft, and third-party risks. Threat actors are increasingly leveraging legitimate cloud services for malicious purposes, including using AI/ML capabilities. The report notes a shift towards cloud-native attack methods that abuse built-in functionality rather than traditional malware. Key trends include threat actors registering their own cloud resources, decreased effectiveness of DDoS attacks on cloud environments, and growing interest in targeting AI services. The analysis covers tactics used by various threat groups and provides detailed mitigation strategies for cloud defenders.", "modified": "2026-02-19T17:42:47.901000", "created": "2026-02-19T16:01:22.672000", "tags": [ "cloud security", "cloud-native attacks", "lamehug", "third-party risk", "seaspy", "acr stealer", "misconfigurations", "fatalrat", "threat landscape", "saltwater", "ai/ml exploitation", "seaside", "ransomware", "credential abuse" ], "references": [ "https://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscape", "https://www.recordedfuture.com/research/media_1dd2d1174c3e28d579004a1fe4f44c24107a72547.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "China", "Slovakia", "Taiwan" ], "malware_families": [ { "id": "LameHug", "display_name": "LameHug", "target": null }, { "id": "FatalRAT", "display_name": "FatalRAT", "target": null }, { "id": "SALTWATER", "display_name": "SALTWATER", "target": null }, { "id": "SEASPY", "display_name": "SEASPY", "target": null }, { "id": "SEASIDE", "display_name": "SEASIDE", "target": null }, { "id": "ACR Stealer", "display_name": "ACR Stealer", "target": null } ], "attack_ids": [], "industries": [ "Government", "Technology", "Finance", "Manufacturing", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 2479, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 11, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386939, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699bd880098e16c33d767d38", "name": "2025 Cloud Threat Hunting and Defense Landscape", "description": "", "modified": "2026-02-23T04:33:04.095000", "created": "2026-02-23T04:33:04.095000", "tags": [ "cloud security", "cloud-native attacks", "lamehug", "third-party risk", "seaspy", "acr stealer", "misconfigurations", "fatalrat", "threat landscape", "saltwater", "ai/ml exploitation", "seaside", "ransomware", "credential abuse" ], "references": [ "https://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscape", "https://www.recordedfuture.com/research/media_1dd2d1174c3e28d579004a1fe4f44c24107a72547.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "China", "Slovakia", "Taiwan" ], "malware_families": [ { "id": "LameHug", "display_name": "LameHug", "target": null }, { "id": "FatalRAT", "display_name": "FatalRAT", "target": null }, { "id": "SALTWATER", "display_name": "SALTWATER", "target": null }, { "id": "SEASPY", "display_name": "SEASPY", "target": null }, { "id": "SEASIDE", "display_name": "SEASIDE", "target": null }, { "id": "ACR Stealer", "display_name": "ACR Stealer", "target": null } ], "attack_ids": [], "industries": [ "Government", "Technology", "Finance", "Manufacturing", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": "699733d20abc04f566f5d380", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 11, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "99 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683b2878b997cc1bfc7e9857", "name": "APT41's \"ToughProgress\" Malware Abuses Google Calendar for C2 Evasion", "description": "This pulse details APT41's (Winnti Group) new \"ToughProgress\" malware, which weaponizes Google Calendar for stealthy command-and-control (C2) communications. Key highlights from SOCRadar's analysis:\nLegitimacy Abuse: Uses Google Calendar events to hide malicious commands in seemingly benign public calendar entries.\nMulti-Stage Execution: Delivers PowerShell scripts to fetch encrypted payloads, bypassing traditional network defences.\nPersistence Mechanisms: Establishes footholds via scheduled tasks, registry modifications, and DLL sideloading.\nTargeted Evasion: Avoids sandboxes and leverages trusted cloud services to evade detection.\nIOCs Provided: Includes malware hashes, C2 domains, and behavioural patterns for hunting.", "modified": "2025-05-31T16:04:08.616000", "created": "2025-05-31T16:04:08.616000", "tags": [], "references": [], "public": 1, "adversary": "Winnti Group", "targeted_countries": [], "malware_families": [ { "id": "ToughProgress", "display_name": "ToughProgress", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "hostname": 23, "domain": 2, "URL": 41 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscape", "https://www.recordedfuture.com/research/media_1dd2d1174c3e28d579004a1fe4f44c24107a72547.gif?width=1200&format=pjpg&optimize=medium" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Fatalrat", "Acr stealer", "Seaspy", "Seaside", "Saltwater", "Lamehug" ], "industries": [ "Manufacturing", "Energy", "Finance", "Telecommunications", "Government", "Technology" ], "unique_indicators": 17 }, "other": { "adversary": [ "Winnti Group" ], "malware_families": [ "Fatalrat", "Acr stealer", "Toughprogress", "Seaspy", "Seaside", "Saltwater", "Lamehug" ], "industries": [ "Manufacturing", "Energy", "Finance", "Telecommunications", "Government", "Technology" ], "unique_indicators": 93 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/my5353.com", "whois": "http://whois.domaintools.com/my5353.com", "domain": "my5353.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "699733d20abc04f566f5d380", "name": "2025 Cloud Threat Hunting and Defense Landscape", "description": "The report outlines key cloud security threats for 2025, highlighting exploitation of misconfigurations, cloud abuse, ransomware, credential theft, and third-party risks. Threat actors are increasingly leveraging legitimate cloud services for malicious purposes, including using AI/ML capabilities. The report notes a shift towards cloud-native attack methods that abuse built-in functionality rather than traditional malware. Key trends include threat actors registering their own cloud resources, decreased effectiveness of DDoS attacks on cloud environments, and growing interest in targeting AI services. The analysis covers tactics used by various threat groups and provides detailed mitigation strategies for cloud defenders.", "modified": "2026-02-19T17:42:47.901000", "created": "2026-02-19T16:01:22.672000", "tags": [ "cloud security", "cloud-native attacks", "lamehug", "third-party risk", "seaspy", "acr stealer", "misconfigurations", "fatalrat", "threat landscape", "saltwater", "ai/ml exploitation", "seaside", "ransomware", "credential abuse" ], "references": [ "https://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscape", "https://www.recordedfuture.com/research/media_1dd2d1174c3e28d579004a1fe4f44c24107a72547.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "China", "Slovakia", "Taiwan" ], "malware_families": [ { "id": "LameHug", "display_name": "LameHug", "target": null }, { "id": "FatalRAT", "display_name": "FatalRAT", "target": null }, { "id": "SALTWATER", "display_name": "SALTWATER", "target": null }, { "id": "SEASPY", "display_name": "SEASPY", "target": null }, { "id": "SEASIDE", "display_name": "SEASIDE", "target": null }, { "id": "ACR Stealer", "display_name": "ACR Stealer", "target": null } ], "attack_ids": [], "industries": [ "Government", "Technology", "Finance", "Manufacturing", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 2479, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 11, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386939, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699bd880098e16c33d767d38", "name": "2025 Cloud Threat Hunting and Defense Landscape", "description": "", "modified": "2026-02-23T04:33:04.095000", "created": "2026-02-23T04:33:04.095000", "tags": [ "cloud security", "cloud-native attacks", "lamehug", "third-party risk", "seaspy", "acr stealer", "misconfigurations", "fatalrat", "threat landscape", "saltwater", "ai/ml exploitation", "seaside", "ransomware", "credential abuse" ], "references": [ "https://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscape", "https://www.recordedfuture.com/research/media_1dd2d1174c3e28d579004a1fe4f44c24107a72547.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "China", "Slovakia", "Taiwan" ], "malware_families": [ { "id": "LameHug", "display_name": "LameHug", "target": null }, { "id": "FatalRAT", "display_name": "FatalRAT", "target": null }, { "id": "SALTWATER", "display_name": "SALTWATER", "target": null }, { "id": "SEASPY", "display_name": "SEASPY", "target": null }, { "id": "SEASIDE", "display_name": "SEASIDE", "target": null }, { "id": "ACR Stealer", "display_name": "ACR Stealer", "target": null } ], "attack_ids": [], "industries": [ "Government", "Technology", "Finance", "Manufacturing", "Telecommunications", "Energy" ], "TLP": "white", "cloned_from": "699733d20abc04f566f5d380", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 11, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "99 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683b2878b997cc1bfc7e9857", "name": "APT41's \"ToughProgress\" Malware Abuses Google Calendar for C2 Evasion", "description": "This pulse details APT41's (Winnti Group) new \"ToughProgress\" malware, which weaponizes Google Calendar for stealthy command-and-control (C2) communications. Key highlights from SOCRadar's analysis:\nLegitimacy Abuse: Uses Google Calendar events to hide malicious commands in seemingly benign public calendar entries.\nMulti-Stage Execution: Delivers PowerShell scripts to fetch encrypted payloads, bypassing traditional network defences.\nPersistence Mechanisms: Establishes footholds via scheduled tasks, registry modifications, and DLL sideloading.\nTargeted Evasion: Avoids sandboxes and leverages trusted cloud services to evade detection.\nIOCs Provided: Includes malware hashes, C2 domains, and behavioural patterns for hunting.", "modified": "2025-05-31T16:04:08.616000", "created": "2025-05-31T16:04:08.616000", "tags": [], "references": [], "public": 1, "adversary": "Winnti Group", "targeted_countries": [], "malware_families": [ { "id": "ToughProgress", "display_name": "ToughProgress", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "hostname": 23, "domain": 2, "URL": 41 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://my5353.com/nWyTf", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://my5353.com/nWyTf", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780423522.7380626 }