{ "type": "URL", "indicator": "https://pivigames.blog/adbuho", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pivigames.blog/adbuho", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4268261431, "indicator": "https://pivigames.blog/adbuho", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69b933387cae1fdd763ccb36", "name": "Endgame Harvesting: Inside ACRStealer's Modern Infrastructure", "description": "ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.", "modified": "2026-03-17T11:15:41.436000", "created": "2026-03-17T10:55:52.495000", "tags": [ "hijackloader", "data-theft", "gaming-malware", "acrstealer", "evasion", "browser-exploitation", "c2-communication", "maas", "lummastealer", "syscalls" ], "references": [ "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Mongolia" ], "malware_families": [ { "id": "ACRStealer", "display_name": "ACRStealer", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386952, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9562b5b526f029cc287a0", "name": "1000/1000 the US is RIPE with .NET unsigned edge node east coast Intersect", "description": "Analysis Overview\nClassification\nDatacenter / Hosting / VPS\nReverse DNS\nmx3.mail.ovh.net\nLocation\nFrance flag\nFrance\nASN\nAS16276 ovh sas\nDNS Resolutions\n1 Domain\nRelated Pulses\nOTX User-Created Pulses (13)\nRelated Tags\n830 Related Tags\npublic tlp\n, \ntrojandropper\n, \nother\n, \nreferences add\n, \nshow\nMore\nIndicator Facts\nHistorical OTX telemetry\n1 domains resolved in all time\n1 top-level domains\nAntivirus Detections\nALF:HeraklezEval:Worm:Win32/Mimail!rfn\n, \nCan't access file\n, \nWin.Dropper.Agent-362\n, \nWin.Trojan.Crypted-28\n, \nWin.Trojan.Crypted-29\nMore\nAV Detection Ratio\n1000\n / 1000\nExternal Resources\nWhois, \nVirusTotal", "modified": "2026-04-16T13:37:13.951000", "created": "2026-03-17T13:24:59.838000", "tags": [ "datacenter", "hosting", "vps reverse", "location france", "france asn", "as16276", "dns resolutions", "domain", "pulses", "related tags", "virustotal" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 100, "URL": 8, "domain": 1 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9c836442640763d23b366", "name": "Endgame Harvesting: Inside ACRStealer's Modern Infrastructure", "description": "", "modified": "2026-03-17T21:31:34.716000", "created": "2026-03-17T21:31:34.716000", "tags": [ "hijackloader", "data-theft", "gaming-malware", "acrstealer", "evasion", "browser-exploitation", "c2-communication", "maas", "lummastealer", "syscalls" ], "references": [ "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Mongolia" ], "malware_families": [ { "id": "ACRStealer", "display_name": "ACRStealer", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "69b933387cae1fdd763ccb36", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "76 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure", "IOCs.2026.4.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Acrstealer", "Hijackloader", "Lummastealer" ], "industries": [], "unique_indicators": 6 }, "other": { "adversary": [ "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [ "Acrstealer", "Hijackloader", "Lummastealer" ], "industries": [], "unique_indicators": 954 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pivigames.blog", "whois": "http://whois.domaintools.com/pivigames.blog", "domain": "pivigames.blog", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69b933387cae1fdd763ccb36", "name": "Endgame Harvesting: Inside ACRStealer's Modern Infrastructure", "description": "ACRStealer, a sophisticated Malware as a Service, has evolved with enhanced evasion techniques and C2 communication strategies. It employs low-level syscalls and AFD for stealthy operations, bypassing user-mode hooks. The malware uses layered communication, establishing raw TCP connections followed by SSL/TLS over SSPI. ACRStealer's data-stealing capabilities are extensive, targeting browsers, Steam accounts, and performing victim fingerprinting. It can execute secondary payloads and capture screenshots. The malware shows an active infection pattern in countries like the USA, Mongolia, and Germany, communicating with specific IP addresses and domains. Recent developments indicate a shift to LummaStealer, suggesting ongoing threat actor activities targeting gaming platforms and social media.", "modified": "2026-03-17T11:15:41.436000", "created": "2026-03-17T10:55:52.495000", "tags": [ "hijackloader", "data-theft", "gaming-malware", "acrstealer", "evasion", "browser-exploitation", "c2-communication", "maas", "lummastealer", "syscalls" ], "references": [ "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Mongolia" ], "malware_families": [ { "id": "ACRStealer", "display_name": "ACRStealer", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386952, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9562b5b526f029cc287a0", "name": "1000/1000 the US is RIPE with .NET unsigned edge node east coast Intersect", "description": "Analysis Overview\nClassification\nDatacenter / Hosting / VPS\nReverse DNS\nmx3.mail.ovh.net\nLocation\nFrance flag\nFrance\nASN\nAS16276 ovh sas\nDNS Resolutions\n1 Domain\nRelated Pulses\nOTX User-Created Pulses (13)\nRelated Tags\n830 Related Tags\npublic tlp\n, \ntrojandropper\n, \nother\n, \nreferences add\n, \nshow\nMore\nIndicator Facts\nHistorical OTX telemetry\n1 domains resolved in all time\n1 top-level domains\nAntivirus Detections\nALF:HeraklezEval:Worm:Win32/Mimail!rfn\n, \nCan't access file\n, \nWin.Dropper.Agent-362\n, \nWin.Trojan.Crypted-28\n, \nWin.Trojan.Crypted-29\nMore\nAV Detection Ratio\n1000\n / 1000\nExternal Resources\nWhois, \nVirusTotal", "modified": "2026-04-16T13:37:13.951000", "created": "2026-03-17T13:24:59.838000", "tags": [ "datacenter", "hosting", "vps reverse", "location france", "france asn", "as16276", "dns resolutions", "domain", "pulses", "related tags", "virustotal" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 100, "URL": 8, "domain": 1 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b9c836442640763d23b366", "name": "Endgame Harvesting: Inside ACRStealer's Modern Infrastructure", "description": "", "modified": "2026-03-17T21:31:34.716000", "created": "2026-03-17T21:31:34.716000", "tags": [ "hijackloader", "data-theft", "gaming-malware", "acrstealer", "evasion", "browser-exploitation", "c2-communication", "maas", "lummastealer", "syscalls" ], "references": [ "https://blog.gdatasoftware.com/2026/03/38385-acr-stealer-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Mongolia" ], "malware_families": [ { "id": "ACRStealer", "display_name": "ACRStealer", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "69b933387cae1fdd763ccb36", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "76 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pivigames.blog/adbuho", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pivigames.blog/adbuho", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780429322.8635838 }