{ "type": "URL", "indicator": "https://nuevaprodeciencia.club/cert.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://nuevaprodeciencia.club/cert.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329329646, "indicator": "https://nuevaprodeciencia.club/cert.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee33fbd3d9c6ed89cd831d", "name": "Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time", "description": "The article discusses a highly sophisticated phishing campaign in Brazil leveraging a malware known as agenteV2. This interactive Banking Trojan masquerades as an official judicial summons to deceive victims into downloading a malicious payload. Once executed, the malware establishes a persistent WebSocket backdoor that allows attackers to access the victim's system in real time, enabling live financial fraud and credential theft. The threat primarily targets users in Brazil, focusing on major banks and cryptocurrency wallet extensions, thereby raising serious concerns for organizations with employees who may be exposed to the campaign.", "modified": "2026-05-26T15:00:59.832000", "created": "2026-04-26T15:49:15.078000", "tags": [ "c2 ip", "nuitka", "ti lookup", "python", "vbs loader", "pastebin", "brazil", "diebold warsaw", "urls", "registry run", "inter", "persistence", "soar", "banco", "bradesco", "stone", "enough", "trojan", "contact", "phase", "2229", "stealer", "tracker", "open", "verify", "sandbox", "gate", "path", "service", "xworm", "persistent websocket", "websocket" ], "references": [ "https://any.run/cybersecurity-blog/brazilian-banking-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 17, "YARA": 1, "domain": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://any.run/cybersecurity-blog/brazilian-banking-phishing-campaign/", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [ "Financial" ], "unique_indicators": 10616 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/nuevaprodeciencia.club", "whois": "http://whois.domaintools.com/nuevaprodeciencia.club", "domain": "nuevaprodeciencia.club", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee33fbd3d9c6ed89cd831d", "name": "Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time", "description": "The article discusses a highly sophisticated phishing campaign in Brazil leveraging a malware known as agenteV2. This interactive Banking Trojan masquerades as an official judicial summons to deceive victims into downloading a malicious payload. Once executed, the malware establishes a persistent WebSocket backdoor that allows attackers to access the victim's system in real time, enabling live financial fraud and credential theft. The threat primarily targets users in Brazil, focusing on major banks and cryptocurrency wallet extensions, thereby raising serious concerns for organizations with employees who may be exposed to the campaign.", "modified": "2026-05-26T15:00:59.832000", "created": "2026-04-26T15:49:15.078000", "tags": [ "c2 ip", "nuitka", "ti lookup", "python", "vbs loader", "pastebin", "brazil", "diebold warsaw", "urls", "registry run", "inter", "persistence", "soar", "banco", "bradesco", "stone", "enough", "trojan", "contact", "phase", "2229", "stealer", "tracker", "open", "verify", "sandbox", "gate", "path", "service", "xworm", "persistent websocket", "websocket" ], "references": [ "https://any.run/cybersecurity-blog/brazilian-banking-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 17, "YARA": 1, "domain": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://nuevaprodeciencia.club/cert.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://nuevaprodeciencia.club/cert.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780191988.4370346 }