{ "type": "URL", "indicator": "https://ownmbaego.com/index.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ownmbaego.com/index.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4131112960, "indicator": "https://ownmbaego.com/index.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68c9199ff5cc9de16f856439", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, modified mutex name generation, and updates to the main module. The network protocol has been slightly adjusted in version 2025, and the scheduled task name for persistence has been updated. These versions fix performance issues and include additional anti-analysis measures. Despite efforts to dismantle it, SmokeLoader continues to evolve and is used by multiple threat groups.", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-16T08:02:39.943000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 377585, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cd48e489662d294d400b29", "name": "Inside SmokeLoader 2025: Evolution of a Persistent Malware Loader", "description": "", "modified": "2025-10-19T12:00:23.614000", "created": "2025-09-19T12:13:24.127000", "tags": [], "references": [ "Cyber Threat Advisory - Inside SmokeLoader 2025 Evolution of a Persistent Malware Loader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 76, "domain": 11, "FileHash-SHA256": 28 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ca6bfa07f5610e06369741", "name": "IOC - SmokeLoader Rises From the Ashes", "description": "Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader\u2019s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more.", "modified": "2025-10-17T08:05:22.581000", "created": "2025-09-17T08:06:18.278000", "tags": [ "smokeloader c2" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 14, "domain": 10 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb86fe986e86f1f6923e9b", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-18T04:13:50.673000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "68c9199ff5cc9de16f856439", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb8702504bfbb610c109a7", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-18T04:13:54.788000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "68c9199ff5cc9de16f856439", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Cyber Threat Advisory - Inside SmokeLoader 2025 Evolution of a Persistent Malware Loader.pdf", "week3.pdf", "Sep week3.pdf", "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Smokeloader", "Dofoil", "Smoke loader - s0226" ], "industries": [], "unique_indicators": 42 }, "other": { "adversary": [ "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "Multiple" ], "malware_families": [ "Smokeloader", "Dofoil", "Smoke loader - s0226" ], "industries": [], "unique_indicators": 1631 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ownmbaego.com", "whois": "http://whois.domaintools.com/ownmbaego.com", "domain": "ownmbaego.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68c9199ff5cc9de16f856439", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "SmokeLoader, a modular malware loader active since 2011, has resurfaced with new versions in 2025 after Operation Endgame suppressed its activity. The latest variants, 2025 alpha and 2025, include bug fixes and improvements to evade detection. Key changes include a new mutex check in the stager, modified mutex name generation, and updates to the main module. The network protocol has been slightly adjusted in version 2025, and the scheduled task name for persistence has been updated. These versions fix performance issues and include additional anti-analysis measures. Despite efforts to dismantle it, SmokeLoader continues to evolve and is used by multiple threat groups.", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-16T08:02:39.943000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 377585, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cd48e489662d294d400b29", "name": "Inside SmokeLoader 2025: Evolution of a Persistent Malware Loader", "description": "", "modified": "2025-10-19T12:00:23.614000", "created": "2025-09-19T12:13:24.127000", "tags": [], "references": [ "Cyber Threat Advisory - Inside SmokeLoader 2025 Evolution of a Persistent Malware Loader.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 76, "domain": 11, "FileHash-SHA256": 28 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "182 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ca6bfa07f5610e06369741", "name": "IOC - SmokeLoader Rises From the Ashes", "description": "Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. Over the years, SmokeLoader has been updated and enhanced to evade detection and optimize payload delivery. SmokeLoader\u2019s capabilities have also been expanded through a modular plugin framework that is capable of credential harvesting, browser hijacking, cryptocurrency mining, and more.", "modified": "2025-10-17T08:05:22.581000", "created": "2025-09-17T08:06:18.278000", "tags": [ "smokeloader c2" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "URL": 14, "domain": 10 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb86fe986e86f1f6923e9b", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-18T04:13:50.673000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "68c9199ff5cc9de16f856439", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cb8702504bfbb610c109a7", "name": "Technical Analysis of SmokeLoader Version 2025", "description": "", "modified": "2025-10-16T08:01:09.485000", "created": "2025-09-18T04:13:54.788000", "tags": [ "evasion techniques", "persistence", "anti-analysis", "smoke", "dofoil", "smokeloader", "version 2025", "malware loader", "network protocol", "bug fixes" ], "references": [ "https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null }, { "id": "Smoke Loader - S0226", "display_name": "Smoke Loader - S0226", "target": null }, { "id": "Dofoil", "display_name": "Dofoil", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "68c9199ff5cc9de16f856439", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 10, "URL": 12 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ownmbaego.com/index.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ownmbaego.com/index.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776647597.0638914 }