{ "type": "URL", "indicator": "https://pub.culture-quest.shop", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pub.culture-quest.shop", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4043716721, "indicator": "https://pub.culture-quest.shop", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "67ca2991532d81738cbca1e8", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-06T23:02:41.409000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cacce59175307b6d7f03c6", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:33.594000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ca39006b50993d4ba19927", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:08:32.097000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ca394df02a68ad4f8bdd44", "name": "InQuest - 06-03-2025", "description": "", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:09:49.679000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 597, "FileHash-SHA1": 84, "URL": 688, "hostname": 142, "domain": 209, "FileHash-MD5": 82 }, "indicator_count": 1802, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ce51f0dc644a25a34f6607", "name": "IOC&TTP - Malvertising campaign leads to info stealers hosted on GitHub", "description": "\u8fd1\u671f\uff0c\u4e00\u9879\u5927\u89c4\u6a21\u7684\u6076\u610f\u5e7f\u544a\uff08Malvertising\uff09\u653b\u51fb\u6d3b\u52a8\u88ab\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\uff0c\u8be5\u653b\u51fb\u5229\u7528\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u4e2d\u7684\u6076\u610f\u5e7f\u544a\u91cd\u5b9a\u5411\u7528\u6237\uff0c\u6700\u7ec8\u6307\u5411GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u7a83\u53d6\u53d7\u5bb3\u8005\u7684\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6b21\u653b\u51fb\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb\uff0c\u5305\u62ec\u4f01\u4e1a\u548c\u6d88\u8d39\u8005\u8bbe\u5907\uff0c\u76ee\u6807\u6db5\u76d6\u591a\u4e2a\u884c\u4e1a\uff0c\u663e\u793a\u51fa\u5176\u9ad8\u5ea6\u968f\u673a\u6027\u3002\n\n\u8be5\u653b\u51fb\u94fe\u91c7\u7528\u591a\u9636\u6bb5\u65b9\u6cd5\uff1a\n\n\u521d\u59cb\u8bbf\u95ee\uff1a\u7528\u6237\u5728\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u89c2\u770b\u76d7\u7248\u89c6\u9891\u65f6\uff0c\u7f51\u7ad9\u5d4c\u5165\u7684\u6076\u610f\u5e7f\u544a\u4f1a\u5c06\u5176\u91cd\u5b9a\u5411\u81f3\u4e2d\u95f4\u7f51\u7ad9\uff0c\u7ee7\u800c\u5f15\u5bfc\u81f3GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f7d\u8377\u3002\n\u6076\u610f\u8f6f\u4ef6\u90e8\u7f72\uff1aGitHub\u4e0a\u7684\u7b2c\u4e00\u9636\u6bb5\u8f7d\u8377\u5145\u5f53\u6295\u653e\u5668\uff08Dropper\uff09\uff0c\u7528\u4e8e\u5728\u53d7\u5bb3\u8005\u8bbe\u5907\u4e0a\u5efa\u7acb\u521d\u59cb\u7acb\u8db3\u70b9\uff0c\u5e76\u6267\u884c\u540e\u7eed\u6076\u610f\u64cd\u4f5c\u3002\n\u4fe1\u606f\u6536\u96c6\uff1a\u7b2c\u4e8c\u9636\u6bb5\u8f7d\u8377\u8fdb\u884c\u7cfb\u7edf\u63a2\u6d4b\uff0c\u6536\u96c6\u8bbe\u5907\u4fe1\u606f\uff08\u5982\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u3001\u663e\u5361\u8be6\u60c5\u3001\u5c4f\u5e55\u5206\u8fa8\u7387\u7b49\uff09\uff0c\u5e76\u901a\u8fc7Base64\u7f16\u7801\u540e\u53d1\u9001\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u3002\n\u540e\u7eed\u653b\u51fb\uff1a\u90e8\u5206\u653b\u51fb\u53d8\u79cd\u5728\u7b2c\u4e8c\u9636\u6bb5\u540e\uff0c\u4f1a\u690d\u5165\u8fdc\u7a0b\u8bbf\u95ee\u5de5\u5177\uff08RAT\uff09\u6216\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982Lumma Stealer\u6216Doenerium\u3002\u53d7\u5bb3\u8bbe\u5907\u7684\u6570\u636e\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u51ed\u8bc1\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u4fe1\u606f\u7b49\uff09\u88ab\u8fdb\u4e00\u6b65\u7a83\u53d6\u548c\u5916\u6cc4\u3002\n\u6301\u4e45\u5316\u4e0e\u89c4\u907f\u68c0\u6d4b\uff1a\u653b\u51fb\u8005\u5229\u7528Windows\u6ce8\u518c\u8868Run\u952e\u3001\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\u7b49\u624b\u6bb5\u786e\u4fdd\u6076\u610f\u8f6f\u4ef6\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u8fd0\u884c\u3002\u540c\u65f6\uff0c\u4f7f\u7528PowerShell\u3001JavaScript\u548cAutoIT\u7b49\u6280\u672f\u8fdb\u884c\u9690\u853d\u64cd\u4f5c\uff0c\u4ee5\u9003\u907f\u5b89\u5168\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T02:44:00.293000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ce944e3bd615c4b07a61d7", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T07:27:10.896000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "related": { "alienvault": { "adversary": [ "Storm-0408" ], "malware_families": [ "Doenerium", "Netsupport rat", "Lumma stealer" ], "industries": [], "unique_indicators": 318 }, "other": { "adversary": [ "Storm-0408", "[Unnamed group]" ], "malware_families": [ "Lumma", "Netsupport", "Netsupport rat", "Doenerium", "Lumma stealer" ], "industries": [ "Oil and gas", "Telecommunications", "Higher education", "Technology", "Energy", "Social engineering", "Defense", "Government", "Information technology" ], "unique_indicators": 2605 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/culture-quest.shop", "whois": "http://whois.domaintools.com/culture-quest.shop", "domain": "culture-quest.shop", "hostname": "pub.culture-quest.shop" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "67ca2991532d81738cbca1e8", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-06T23:02:41.409000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 386493, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67cacce59175307b6d7f03c6", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:33.594000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ca39006b50993d4ba19927", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:08:32.097000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ca394df02a68ad4f8bdd44", "name": "InQuest - 06-03-2025", "description": "", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:09:49.679000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 597, "FileHash-SHA1": 84, "URL": 688, "hostname": 142, "domain": 209, "FileHash-MD5": 82 }, "indicator_count": 1802, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ce51f0dc644a25a34f6607", "name": "IOC&TTP - Malvertising campaign leads to info stealers hosted on GitHub", "description": "\u8fd1\u671f\uff0c\u4e00\u9879\u5927\u89c4\u6a21\u7684\u6076\u610f\u5e7f\u544a\uff08Malvertising\uff09\u653b\u51fb\u6d3b\u52a8\u88ab\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\uff0c\u8be5\u653b\u51fb\u5229\u7528\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u4e2d\u7684\u6076\u610f\u5e7f\u544a\u91cd\u5b9a\u5411\u7528\u6237\uff0c\u6700\u7ec8\u6307\u5411GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u7a83\u53d6\u53d7\u5bb3\u8005\u7684\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6b21\u653b\u51fb\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb\uff0c\u5305\u62ec\u4f01\u4e1a\u548c\u6d88\u8d39\u8005\u8bbe\u5907\uff0c\u76ee\u6807\u6db5\u76d6\u591a\u4e2a\u884c\u4e1a\uff0c\u663e\u793a\u51fa\u5176\u9ad8\u5ea6\u968f\u673a\u6027\u3002\n\n\u8be5\u653b\u51fb\u94fe\u91c7\u7528\u591a\u9636\u6bb5\u65b9\u6cd5\uff1a\n\n\u521d\u59cb\u8bbf\u95ee\uff1a\u7528\u6237\u5728\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u89c2\u770b\u76d7\u7248\u89c6\u9891\u65f6\uff0c\u7f51\u7ad9\u5d4c\u5165\u7684\u6076\u610f\u5e7f\u544a\u4f1a\u5c06\u5176\u91cd\u5b9a\u5411\u81f3\u4e2d\u95f4\u7f51\u7ad9\uff0c\u7ee7\u800c\u5f15\u5bfc\u81f3GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f7d\u8377\u3002\n\u6076\u610f\u8f6f\u4ef6\u90e8\u7f72\uff1aGitHub\u4e0a\u7684\u7b2c\u4e00\u9636\u6bb5\u8f7d\u8377\u5145\u5f53\u6295\u653e\u5668\uff08Dropper\uff09\uff0c\u7528\u4e8e\u5728\u53d7\u5bb3\u8005\u8bbe\u5907\u4e0a\u5efa\u7acb\u521d\u59cb\u7acb\u8db3\u70b9\uff0c\u5e76\u6267\u884c\u540e\u7eed\u6076\u610f\u64cd\u4f5c\u3002\n\u4fe1\u606f\u6536\u96c6\uff1a\u7b2c\u4e8c\u9636\u6bb5\u8f7d\u8377\u8fdb\u884c\u7cfb\u7edf\u63a2\u6d4b\uff0c\u6536\u96c6\u8bbe\u5907\u4fe1\u606f\uff08\u5982\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u3001\u663e\u5361\u8be6\u60c5\u3001\u5c4f\u5e55\u5206\u8fa8\u7387\u7b49\uff09\uff0c\u5e76\u901a\u8fc7Base64\u7f16\u7801\u540e\u53d1\u9001\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u3002\n\u540e\u7eed\u653b\u51fb\uff1a\u90e8\u5206\u653b\u51fb\u53d8\u79cd\u5728\u7b2c\u4e8c\u9636\u6bb5\u540e\uff0c\u4f1a\u690d\u5165\u8fdc\u7a0b\u8bbf\u95ee\u5de5\u5177\uff08RAT\uff09\u6216\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982Lumma Stealer\u6216Doenerium\u3002\u53d7\u5bb3\u8bbe\u5907\u7684\u6570\u636e\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u51ed\u8bc1\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u4fe1\u606f\u7b49\uff09\u88ab\u8fdb\u4e00\u6b65\u7a83\u53d6\u548c\u5916\u6cc4\u3002\n\u6301\u4e45\u5316\u4e0e\u89c4\u907f\u68c0\u6d4b\uff1a\u653b\u51fb\u8005\u5229\u7528Windows\u6ce8\u518c\u8868Run\u952e\u3001\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\u7b49\u624b\u6bb5\u786e\u4fdd\u6076\u610f\u8f6f\u4ef6\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u8fd0\u884c\u3002\u540c\u65f6\uff0c\u4f7f\u7528PowerShell\u3001JavaScript\u548cAutoIT\u7b49\u6280\u672f\u8fdb\u884c\u9690\u853d\u64cd\u4f5c\uff0c\u4ee5\u9003\u907f\u5b89\u5168\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T02:44:00.293000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ce944e3bd615c4b07a61d7", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T07:27:10.896000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pub.culture-quest.shop", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pub.culture-quest.shop", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212080.0843778 }