{ "type": "URL", "indicator": "https://ql.rustdesk.net/api/index", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ql.rustdesk.net/api/index", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3739476344, "indicator": "https://ql.rustdesk.net/api/index", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "64dc25a3d97bf5ca247b435e", "name": "New wave of Malicious npm Package", "description": "", "modified": "2023-09-15T01:03:36.502000", "created": "2023-08-16T01:25:55.088000", "tags": [], "references": [ "August 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3057 - New wave of Malicious npm Package.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "hostname": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dbc17fbfcf61a0c55492f0", "name": "Sophisticated, Highly-Targeted Attacks Continue to Plague npm", "description": "Phylum, a software risk detection platform, has detected a series of highly-targeted attacks on the npm website, targeting the platform\u2019s main operating system, and the software itself.", "modified": "2023-09-14T18:01:39.593000", "created": "2023-08-15T18:18:39.053000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dbb09c96529f42dd0ead71", "name": "Sophisticated, Highly-Targeted Attacks Continue to Plague npm", "description": "Phylum, a software risk detection platform, has detected a series of highly-targeted attacks on the npm website, targeting the platform\u2019s main operating system, and the software itself.", "modified": "2023-09-14T17:03:28.480000", "created": "2023-08-15T17:06:36.342000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64db63f311b3e1ffb86c0948", "name": "New Wave of Malicious npm Packages", "description": "The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules.\n\nSoftware supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June, which has since been linked to North Korean threat actors.\n\nAs many as nine packages have been identified as uploaded to npm between August 9 and 12, 2023. This includes: ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins.\n\n\"Due to the sophisticated nature of the attack and the small number of affected packages, we suspect this is another highly targeted attack, likely with a social engineering aspect involved in order to get targets to install these packages,\" the company said.", "modified": "2023-09-14T11:01:03.127000", "created": "2023-08-15T11:39:31.195000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "August 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3057 - New wave of Malicious npm Package.pdf", "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 20 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rustdesk.net", "whois": "http://whois.domaintools.com/rustdesk.net", "domain": "rustdesk.net", "hostname": "ql.rustdesk.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "64dc25a3d97bf5ca247b435e", "name": "New wave of Malicious npm Package", "description": "", "modified": "2023-09-15T01:03:36.502000", "created": "2023-08-16T01:25:55.088000", "tags": [], "references": [ "August 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3057 - New wave of Malicious npm Package.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "hostname": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dbc17fbfcf61a0c55492f0", "name": "Sophisticated, Highly-Targeted Attacks Continue to Plague npm", "description": "Phylum, a software risk detection platform, has detected a series of highly-targeted attacks on the npm website, targeting the platform\u2019s main operating system, and the software itself.", "modified": "2023-09-14T18:01:39.593000", "created": "2023-08-15T18:18:39.053000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dbb09c96529f42dd0ead71", "name": "Sophisticated, Highly-Targeted Attacks Continue to Plague npm", "description": "Phylum, a software risk detection platform, has detected a series of highly-targeted attacks on the npm website, targeting the platform\u2019s main operating system, and the software itself.", "modified": "2023-09-14T17:03:28.480000", "created": "2023-08-15T17:06:36.342000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 164, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64db63f311b3e1ffb86c0948", "name": "New Wave of Malicious npm Packages", "description": "The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules.\n\nSoftware supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June, which has since been linked to North Korean threat actors.\n\nAs many as nine packages have been identified as uploaded to npm between August 9 and 12, 2023. This includes: ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins.\n\n\"Due to the sophisticated nature of the attack and the small number of affected packages, we suspect this is another highly targeted attack, likely with a social engineering aspect involved in order to get targets to install these packages,\" the company said.", "modified": "2023-09-14T11:01:03.127000", "created": "2023-08-15T11:39:31.195000", "tags": [ "research", "phylum", "august", "june attack", "as16509 http", "date", "rustdesk", "c2 server", "guid", "javascript", "june", "first" ], "references": [ "https://blog.phylum.io/sophisticated-highly-targeted-attacks-continue-to-plague-npm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 5, "hostname": 4 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "989 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ql.rustdesk.net/api/index", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ql.rustdesk.net/api/index", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780203999.0722885 }