{ "type": "URL", "indicator": "https://pentagon.cy/log_data", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pentagon.cy/log_data", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4064274426, "indicator": "https://pentagon.cy/log_data", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6811dcb5fec624b72dc95136", "name": "Pentagon Stealer: Go and Python Malware Targeting Crypto", "description": "Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sensitive information. Initially spread through typosquatting, it has appeared under various names like 1312, Acab, Vilsa, and BLX stealer. The Golang version expanded its capabilities to target more browsers. Pentagon Stealer uses HTTP requests for C2 communication and is often part of larger attack chains. While relatively simple, its persistent development and integration into various campaigns make it an ongoing threat to users' financial and personal data.", "modified": "2025-04-30T08:38:04.920000", "created": "2025-04-30T08:17:57.646000", "tags": [ "blx stealer", "data theft", "wallet injection", "python", "1312 stealer", "purecrypter", "cryptocurrency", "vilsa stealer", "go", "browser exploitation", "stealer", "pentagon stealer", "acab stealer" ], "references": [ "https://any.run/cybersecurity-blog/pentagon-stealer-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pentagon Stealer", "display_name": "Pentagon Stealer", "target": null }, { "id": "1312 Stealer", "display_name": "1312 Stealer", "target": null }, { "id": "Acab Stealer", "display_name": "Acab Stealer", "target": null }, { "id": "Vilsa Stealer", "display_name": "Vilsa Stealer", "target": null }, { "id": "BLX Stealer", "display_name": "BLX Stealer", "target": null }, { "id": "Purecrypter", "display_name": "Purecrypter", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 387077, "modified_text": "399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://any.run/cybersecurity-blog/pentagon-stealer-malware-analysis/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "1312 stealer", "Vilsa stealer", "Blx stealer", "Purecrypter", "Pentagon stealer", "Acab stealer" ], "industries": [], "unique_indicators": 21 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pentagon.cy", "whois": "http://whois.domaintools.com/pentagon.cy", "domain": "pentagon.cy", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6811dcb5fec624b72dc95136", "name": "Pentagon Stealer: Go and Python Malware Targeting Crypto", "description": "Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sensitive information. Initially spread through typosquatting, it has appeared under various names like 1312, Acab, Vilsa, and BLX stealer. The Golang version expanded its capabilities to target more browsers. Pentagon Stealer uses HTTP requests for C2 communication and is often part of larger attack chains. While relatively simple, its persistent development and integration into various campaigns make it an ongoing threat to users' financial and personal data.", "modified": "2025-04-30T08:38:04.920000", "created": "2025-04-30T08:17:57.646000", "tags": [ "blx stealer", "data theft", "wallet injection", "python", "1312 stealer", "purecrypter", "cryptocurrency", "vilsa stealer", "go", "browser exploitation", "stealer", "pentagon stealer", "acab stealer" ], "references": [ "https://any.run/cybersecurity-blog/pentagon-stealer-malware-analysis/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Pentagon Stealer", "display_name": "Pentagon Stealer", "target": null }, { "id": "1312 Stealer", "display_name": "1312 Stealer", "target": null }, { "id": "Acab Stealer", "display_name": "Acab Stealer", "target": null }, { "id": "Vilsa Stealer", "display_name": "Vilsa Stealer", "target": null }, { "id": "BLX Stealer", "display_name": "BLX Stealer", "target": null }, { "id": "Purecrypter", "display_name": "Purecrypter", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 12, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 6 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 387077, "modified_text": "399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pentagon.cy/log_data", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pentagon.cy/log_data", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780487117.4734137 }