{ "type": "URL", "indicator": "https://mytaxclientcopy.com/xlab22.hta", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://mytaxclientcopy.com/xlab22.hta", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4068638402, "indicator": "https://mytaxclientcopy.com/xlab22.hta", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "68264a9c6f5993a7d13fcfbc", "name": "Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT", "description": "A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.", "modified": "2025-05-15T20:41:10.433000", "created": "2025-05-15T20:12:12.695000", "tags": [ "uac bypass", "process hollowing", "shellcode loader", "keylogger", "tls communication", "remcos rat", "powershell", "evasion techniques", "fileless execution" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA256": 3, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b78dfe93c82de3c6a29412", "name": "URLHaus data - 15-03-2026 (Part 2)", "description": "", "modified": "2026-04-15T04:08:56.830000", "created": "2026-03-16T04:58:38.786000", "tags": [ "32-bit", "elf", "mips", "Mozi", "ua-wget", "mirai", "ACRStealer", "ClearFake", "arm", "gafgyt", "sh", "dropped-by-amadey", "fbf543", "c2-monitor-auto", "Stealc", "opendir", "x86", "script", "CoinMiner", "hajime", "Vidar", "rustystealer", "SilverFox", "ClickFix", "ErrTraffic", "NetSupport", "powershell", "boxter", "hta", "phishing", "zip", "pw-2026", "pw-ryos", "SmartLoader" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 262, "hostname": 85, "domain": 10 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bea6c4f31cc87b236e3996", "name": "Payload_Delivery | Mar 22, 2026 | Part 3/3", "description": "Payload_Delivery indicators. Date: Mar 22, 2026. Part 3/3. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T14:10:12.172000", "created": "2026-03-21T14:10:12.172000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 46, "hostname": 66, "FileHash-SHA256": 53, "FileHash-MD5": 49, "FileHash-SHA1": 49 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd55c5fce9da8a5ea57610", "name": "Payload_Delivery | Mar 21, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 21, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T14:12:21.412000", "created": "2026-03-20T14:12:21.412000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 89, "hostname": 721, "URL": 363, "domain": 501, "FileHash-MD5": 56, "FileHash-SHA1": 49 }, "indicator_count": 1779, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "72 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bc04acbe4a8aaec1b67e95", "name": "Payload_Delivery | Mar 20, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 20, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-19T14:14:04.504000", "created": "2026-03-19T14:14:04.504000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 389, "URL": 361, "hostname": 824, "FileHash-MD5": 57, "FileHash-SHA256": 85, "FileHash-SHA1": 49 }, "indicator_count": 1765, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "73 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bab2adaa1bf4df291f7430", "name": "Payload_Delivery | Mar 19, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 19, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T14:11:57.508000", "created": "2026-03-18T14:11:57.508000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 312, "hostname": 683, "domain": 330, "FileHash-SHA256": 82, "FileHash-MD5": 149, "FileHash-SHA1": 49 }, "indicator_count": 1605, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ba385644f1345d4c73440b", "name": "Payload_Delivery | Mar 18, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T05:29:58.148000", "created": "2026-03-18T05:29:58.148000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 688, "URL": 303, "domain": 319, "FileHash-SHA256": 62, "FileHash-MD5": 149, "FileHash-SHA1": 49 }, "indicator_count": 1570, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9fa91f2bafaf0571d49bf", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T01:06:25.389000", "created": "2026-03-18T01:06:25.389000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 851, "URL": 409, "domain": 613, "FileHash-SHA256": 66, "FileHash-MD5": 30, "FileHash-SHA1": 13 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9f5633c8ba6327f55fa88", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T00:44:19.262000", "created": "2026-03-18T00:44:19.262000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 846, "URL": 409, "domain": 613, "FileHash-SHA256": 67, "FileHash-MD5": 32, "FileHash-SHA1": 15 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b95fdf37ebd2116dbaae77", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-17T14:06:23.641000", "created": "2026-03-17T14:06:23.641000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 782, "URL": 391, "domain": 606, "FileHash-SHA256": 99, "FileHash-MD5": 55, "FileHash-SHA1": 49 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b808a8ecd284c2cc585c14", "name": "Payload_Delivery | Mar 17, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 17, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-16T13:42:00.175000", "created": "2026-03-16T13:42:00.175000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 918, "domain": 396, "FileHash-SHA256": 99, "URL": 367, "FileHash-MD5": 155, "FileHash-SHA1": 49 }, "indicator_count": 1984, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "76 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b6bc121a952c45ee50b80f", "name": "Payload_Delivery | Mar 16, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 16, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-15T14:02:58.591000", "created": "2026-03-15T14:02:58.591000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 330, "hostname": 1031, "domain": 363, "FileHash-SHA256": 64, "FileHash-MD5": 149, "FileHash-SHA1": 49 }, "indicator_count": 1986, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "77 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68293219731de2634783157e", "name": "Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT | Qualys", "description": "A recent campaign leverages a sophisticated fileless attack to deliver Remcos RAT using malicious LNK files hidden in ZIP archives. Once opened, the LNK files trigger mshta.exe to execute an obfuscated VBScript that downloads and runs PowerShell payloads directly in memory, bypassing antivirus and leaving minimal traces on disk", "modified": "2025-05-18T01:04:25.109000", "created": "2025-05-18T01:04:25.109000", "tags": [ "remcos", "remcos rat", "loader", "rmc7sy4ax", "qualys edr", "powershell", "threat research", "base64 data", "apis", "block", "execution", "bypass" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "domain": 4 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "378 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6826e836546a33c7389d2708", "name": "Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT | Qualys", "description": "A new PowerShell-based shellcode loader, designed to load and execute a remote access trojan, has been uncovered by security researchers in a blog published in the Security Research Journal on 15 May 2025.", "modified": "2025-05-16T07:24:38.750000", "created": "2025-05-16T07:24:38.750000", "tags": [ "remcos", "remcos rat", "loader", "rmc7sy4ax", "qualys edr", "powershell", "threat research", "base64 data", "apis", "block", "execution", "bypass" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 4, "FileHash-SHA256": 3, "domain": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "380 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "IOC.pdf", "https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Remcos rat" ], "industries": [], "unique_indicators": 9 }, "other": { "adversary": [ "Multiple Threat Actors" ], "malware_families": [ "Remcos" ], "industries": [], "unique_indicators": 4421 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mytaxclientcopy.com", "whois": "http://whois.domaintools.com/mytaxclientcopy.com", "domain": "mytaxclientcopy.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "68264a9c6f5993a7d13fcfbc", "name": "Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT", "description": "A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.", "modified": "2025-05-15T20:41:10.433000", "created": "2025-05-15T20:12:12.695000", "tags": [ "uac bypass", "process hollowing", "shellcode loader", "keylogger", "tls communication", "remcos rat", "powershell", "evasion techniques", "fileless execution" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Remcos RAT", "display_name": "Remcos RAT", "target": null } ], "attack_ids": [ { "id": "T1548.002", "name": "Bypass User Account Control", "display_name": "T1548.002 - Bypass User Account Control" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA256": 3, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386577, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b78dfe93c82de3c6a29412", "name": "URLHaus data - 15-03-2026 (Part 2)", "description": "", "modified": "2026-04-15T04:08:56.830000", "created": "2026-03-16T04:58:38.786000", "tags": [ "32-bit", "elf", "mips", "Mozi", "ua-wget", "mirai", "ACRStealer", "ClearFake", "arm", "gafgyt", "sh", "dropped-by-amadey", "fbf543", "c2-monitor-auto", "Stealc", "opendir", "x86", "script", "CoinMiner", "hajime", "Vidar", "rustystealer", "SilverFox", "ClickFix", "ErrTraffic", "NetSupport", "powershell", "boxter", "hta", "phishing", "zip", "pw-2026", "pw-ryos", "SmartLoader" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 262, "hostname": 85, "domain": 10 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bea6c4f31cc87b236e3996", "name": "Payload_Delivery | Mar 22, 2026 | Part 3/3", "description": "Payload_Delivery indicators. Date: Mar 22, 2026. Part 3/3. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-21T14:10:12.172000", "created": "2026-03-21T14:10:12.172000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 46, "hostname": 66, "FileHash-SHA256": 53, "FileHash-MD5": 49, "FileHash-SHA1": 49 }, "indicator_count": 321, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd55c5fce9da8a5ea57610", "name": "Payload_Delivery | Mar 21, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 21, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-20T14:12:21.412000", "created": "2026-03-20T14:12:21.412000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 89, "hostname": 721, "URL": 363, "domain": 501, "FileHash-MD5": 56, "FileHash-SHA1": 49 }, "indicator_count": 1779, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "72 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bc04acbe4a8aaec1b67e95", "name": "Payload_Delivery | Mar 20, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 20, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-19T14:14:04.504000", "created": "2026-03-19T14:14:04.504000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 389, "URL": 361, "hostname": 824, "FileHash-MD5": 57, "FileHash-SHA256": 85, "FileHash-SHA1": 49 }, "indicator_count": 1765, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "73 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bab2adaa1bf4df291f7430", "name": "Payload_Delivery | Mar 19, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 19, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T14:11:57.508000", "created": "2026-03-18T14:11:57.508000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 312, "hostname": 683, "domain": 330, "FileHash-SHA256": 82, "FileHash-MD5": 149, "FileHash-SHA1": 49 }, "indicator_count": 1605, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ba385644f1345d4c73440b", "name": "Payload_Delivery | Mar 18, 2026 | Part 2/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 2/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T05:29:58.148000", "created": "2026-03-18T05:29:58.148000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 688, "URL": 303, "domain": 319, "FileHash-SHA256": 62, "FileHash-MD5": 149, "FileHash-SHA1": 49 }, "indicator_count": 1570, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9fa91f2bafaf0571d49bf", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T01:06:25.389000", "created": "2026-03-18T01:06:25.389000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 851, "URL": 409, "domain": 613, "FileHash-SHA256": 66, "FileHash-MD5": 30, "FileHash-SHA1": 13 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9f5633c8ba6327f55fa88", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-18T00:44:19.262000", "created": "2026-03-18T00:44:19.262000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 846, "URL": 409, "domain": 613, "FileHash-SHA256": 67, "FileHash-MD5": 32, "FileHash-SHA1": 15 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "74 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b95fdf37ebd2116dbaae77", "name": "Payload_Delivery | Mar 18, 2026 | Part 1/2", "description": "Payload_Delivery indicators. Date: Mar 18, 2026. Part 1/2. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-03-17T14:06:23.641000", "created": "2026-03-17T14:06:23.641000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 782, "URL": 391, "domain": 606, "FileHash-SHA256": 99, "FileHash-MD5": 55, "FileHash-SHA1": 49 }, "indicator_count": 1982, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://mytaxclientcopy.com/xlab22.hta", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://mytaxclientcopy.com/xlab22.hta", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "boxter", "hta", "phishing" ], "date_added": "2026-03-15", "last_online": "", "reporter": "Lenard", "host": "mytaxclientcopy.com", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780262636.1397886 }