{ "type": "URL", "indicator": "https://pubs.infinityfreeapp.com/IRS_P966.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://pubs.infinityfreeapp.com/IRS_P966.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3951320561, "indicator": "https://pubs.infinityfreeapp.com/IRS_P966.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "66d6210d8809bca69d931131", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "Proofpoint researchers uncovered an unusual campaign delivering custom malware named \"Voldemort\". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets for command and control. The malware has capabilities for information gathering and delivering additional payloads. While the campaign exhibits some characteristics of cybercriminal activity, the nature and capabilities of the malware suggest an espionage objective. The threat actor utilized multiple techniques becoming more popular in the cybercrime landscape, making attribution challenging. The campaign's unusual combination of sophisticated and basic elements makes it difficult to assess the threat actor's capabilities and ultimate goals.", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-02T20:33:17.493000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387042, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c64918d4b28fe95cb6bf3f", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign D clone credit AustinBH", "description": "", "modified": "2026-03-27T09:08:40.507000", "created": "2026-03-27T09:08:40.507000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66d73a858bb238c25b7069a8", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "67 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6837c4d7ee9368a069a48ded", "name": "APT41: Innovative Tactics and Techniques in Cyber Espionage.", "description": "Persistent threat group APT41, known for its innovative tactics and multifaceted operations in cyber espionage. The article examines APT41's unique methodologies, highlighting their ability to pivot across sectors and geographies while employing a range of sophisticated techniques.", "modified": "2025-05-29T02:22:15.609000", "created": "2025-05-29T02:22:15.609000", "tags": [ "plusbed", "toughprogress", "gtig", "b8 b9", "ff d0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TOUGHPROGRESS", "display_name": "TOUGHPROGRESS", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "YARA": 1, "hostname": 21, "URL": 43, "domain": 4 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66df81905ecd080c020f1c3e", "name": "Weekly OSINT Highlights, 9 September 2024", "description": "", "modified": "2024-10-09T23:04:10.597000", "created": "2024-09-09T23:15:28.810000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/563312a4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 378, "hostname": 6, "URL": 19, "FileHash-SHA256": 29, "FileHash-SHA1": 1 }, "indicator_count": 433, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d73a858bb238c25b7069a8", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-10-03T16:03:15.787000", "created": "2024-09-03T16:34:13.963000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d6a9ae04017be4a78be255", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-03T06:16:14.789000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": "66d6210d8809bca69d931131", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f12632d0e5ad330df1a822", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-23T08:26:26.156000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": "66d6a9ae04017be4a78be255", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3a207bc1222dd721843f7", "name": "Espionage Malware Campaign Uses Google Sheets for C2, Targets Global Organizations", "description": "Cybersecurity researchers have uncovered a sophisticated malware campaign targeting organizations worldwide. The attackers, impersonating tax authorities, lure victims with fraudulent emails containing malicious links. Once clicked, these links deliver a malicious payload that installs a backdoor known as \"Voldemort.\"", "modified": "2024-09-30T23:00:03.475000", "created": "2024-08-31T23:06:47.276000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d31f812a5591e4d29c08ad", "name": "Voldemort Malware Abuses Google Sheets to Store Stolen Data", "description": "IOC{Indicators ofCompromise: The full text of the document released by the Italian government on 31 August 2024. and published on the website of O'Dwyda.", "modified": "2024-09-30T13:01:51.314000", "created": "2024-08-31T13:49:53.805000", "tags": [ "urls", "cyber", "threat", "august", "time", "crypto cyber", "defence", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 16, "hostname": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d1da211c4544ddf765b650", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T14:01:21.291000", "created": "2024-08-30T14:41:37.271000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d1a13302f788b415166f87", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T10:02:29.978000", "created": "2024-08-30T10:38:43.741000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d1151123006ec958ef3efb", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-09-29T00:02:28.450000", "created": "2024-08-30T00:40:49.647000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/563312a4", "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Voldemort", "Cobalt strike - s0154" ], "industries": [ "Education", "Transportation", "Aerospace", "Insurance" ], "unique_indicators": 26 }, "other": { "adversary": [ "Voldemort" ], "malware_families": [ "Voldemort", "Toughprogress", "Cobalt strike", "Cobalt strike - s0154" ], "industries": [ "Education", "Transportation", "Aerospace", "Higher education", "Insurance", "Government" ], "unique_indicators": 525 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/infinityfreeapp.com", "whois": "http://whois.domaintools.com/infinityfreeapp.com", "domain": "infinityfreeapp.com", "hostname": "pubs.infinityfreeapp.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "66d6210d8809bca69d931131", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "Proofpoint researchers uncovered an unusual campaign delivering custom malware named \"Voldemort\". The activity impersonated tax authorities from various countries and targeted dozens of organizations worldwide. The attack chain combines popular and uncommon techniques, including using Google Sheets for command and control. The malware has capabilities for information gathering and delivering additional payloads. While the campaign exhibits some characteristics of cybercriminal activity, the nature and capabilities of the malware suggest an espionage objective. The threat actor utilized multiple techniques becoming more popular in the cybercrime landscape, making attribution challenging. The campaign's unusual combination of sophisticated and basic elements makes it difficult to assess the threat actor's capabilities and ultimate goals.", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-02T20:33:17.493000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387042, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c64918d4b28fe95cb6bf3f", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign D clone credit AustinBH", "description": "", "modified": "2026-03-27T09:08:40.507000", "created": "2026-03-27T09:08:40.507000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66d73a858bb238c25b7069a8", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "67 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6837c4d7ee9368a069a48ded", "name": "APT41: Innovative Tactics and Techniques in Cyber Espionage.", "description": "Persistent threat group APT41, known for its innovative tactics and multifaceted operations in cyber espionage. The article examines APT41's unique methodologies, highlighting their ability to pivot across sectors and geographies while employing a range of sophisticated techniques.", "modified": "2025-05-29T02:22:15.609000", "created": "2025-05-29T02:22:15.609000", "tags": [ "plusbed", "toughprogress", "gtig", "b8 b9", "ff d0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TOUGHPROGRESS", "display_name": "TOUGHPROGRESS", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "YARA": 1, "hostname": 21, "URL": 43, "domain": 4 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66df81905ecd080c020f1c3e", "name": "Weekly OSINT Highlights, 9 September 2024", "description": "", "modified": "2024-10-09T23:04:10.597000", "created": "2024-09-09T23:15:28.810000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/563312a4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 378, "hostname": 6, "URL": 19, "FileHash-SHA256": 29, "FileHash-SHA1": 1 }, "indicator_count": 433, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "601 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d73a858bb238c25b7069a8", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "", "modified": "2024-10-03T16:03:15.787000", "created": "2024-09-03T16:34:13.963000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "URL": 18, "domain": 4, "email": 1, "hostname": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d6a9ae04017be4a78be255", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-03T06:16:14.789000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": "66d6210d8809bca69d931131", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f12632d0e5ad330df1a822", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers 'Voldemort'", "description": "", "modified": "2024-10-02T20:03:12.150000", "created": "2024-09-23T08:26:26.156000", "tags": [ "apt", "espionage", "cobalt strike", "tax authorities", "voldemort" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "", "targeted_countries": [ "Virgin Islands, U.S.", "France", "Germany", "Italy", "British Indian Ocean Territory", "India", "Japan" ], "malware_families": [ { "id": "Voldemort", "display_name": "Voldemort", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [ "Insurance", "Aerospace", "Transportation", "Education" ], "TLP": "white", "cloned_from": "66d6a9ae04017be4a78be255", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 15, "email": 1, "hostname": 5 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3a207bc1222dd721843f7", "name": "Espionage Malware Campaign Uses Google Sheets for C2, Targets Global Organizations", "description": "Cybersecurity researchers have uncovered a sophisticated malware campaign targeting organizations worldwide. The attackers, impersonating tax authorities, lure victims with fraudulent emails containing malicious links. Once clicked, these links deliver a malicious payload that installs a backdoor known as \"Voldemort.\"", "modified": "2024-09-30T23:00:03.475000", "created": "2024-08-31T23:06:47.276000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 5, "URL": 17, "email": 1, "hostname": 7 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d31f812a5591e4d29c08ad", "name": "Voldemort Malware Abuses Google Sheets to Store Stolen Data", "description": "IOC{Indicators ofCompromise: The full text of the document released by the Italian government on 31 August 2024. and published on the website of O'Dwyda.", "modified": "2024-09-30T13:01:51.314000", "created": "2024-08-31T13:49:53.805000", "tags": [ "urls", "cyber", "threat", "august", "time", "crypto cyber", "defence", "classification", "confidential" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 16, "hostname": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "610 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d1da211c4544ddf765b650", "name": "The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers \u201cVoldemort\u201d | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from the latest threats, trends and issues in the cybersecurity industry, in a comprehensive guide to the company's products and services.", "modified": "2024-09-29T14:01:21.291000", "created": "2024-08-30T14:41:37.271000", "tags": [ "google sheet", "voldemort", "proofpoint", "cobalt strike", "webdav share", "uuid", "google sheets", "august", "google drive", "python code", "webdav", "python", "service", "click", "powershell", "test", "webex", "rats", "format", "explorer", "malware", "stub", "code", "win64", "defense" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort" ], "public": 1, "adversary": "Voldemort", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Voldemort", "display_name": "Voldemort", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [ "Government", "Higher Education", "Insurance", "Aerospace", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 5, "URL": 18, "email": 1, "hostname": 8 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://pubs.infinityfreeapp.com/IRS_P966.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://pubs.infinityfreeapp.com/IRS_P966.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780475804.955717 }