{ "type": "URL", "indicator": "https://rosenbaum.live/bars.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rosenbaum.live/bars.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4054630063, "indicator": "https://rosenbaum.live/bars.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "67eec31b26a9b5d94190be7d", "name": "Threat actors leverage tax season to deploy tax-themed phishing campaigns", "description": "Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.", "modified": "2025-05-03T17:04:15.498000", "created": "2025-04-03T17:19:23.910000", "tags": [ "qr codes", "credential theft", "redirection", "remcos", "malware", "remote access trojans", "tax season", "ahkbot", "phishing", "guloader", "social engineering", "bruteratel c4", "latrodectus" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/" ], "public": 1, "adversary": "Storm-0249", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BruteRatel C4", "display_name": "BruteRatel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "AHKBot", "display_name": "AHKBot", "target": null }, { "id": "GuLoader - S0561", "display_name": "GuLoader - S0561", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [ "Engineering", "Information Technology", "Consulting", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "domain": 8, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 377555, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f30d1e5f894bef93248ddd", "name": "InQuest - 06-04-2025", "description": "", "modified": "2025-05-06T23:04:02.399000", "created": "2025-04-06T23:24:14.704000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 100, "URL": 435, "domain": 113, "FileHash-SHA256": 614, "FileHash-SHA1": 26, "FileHash-MD5": 22 }, "indicator_count": 1310, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f1bbda9e928a3743d1c379", "name": "InQuest - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:13.994000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-SHA256": 550, "domain": 150, "hostname": 107, "FileHash-SHA1": 39, "FileHash-MD5": 41 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f06bc5e8059cb562270235", "name": "InQuest - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:31:17.659000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 659, "FileHash-SHA256": 572, "FileHash-SHA1": 30, "FileHash-MD5": 43, "hostname": 138, "domain": 135 }, "indicator_count": 1577, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f0186d608fe3e62ba938a4", "name": "Threat Actors Leverage Tax Season to Deploy Tax-Themed Phishing Campaigns", "description": "As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.", "modified": "2025-05-04T17:00:27.556000", "created": "2025-04-04T17:35:41.380000", "tags": [ "bruteratel c4", "RaccoonO365", "RATs", "phishing campaigns" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Catbug39", "id": "285054", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 4, "domain": 8, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67efa71aaa17b891ebcea467", "name": "Threat actors leverage tax season to deploy tax-themed phishing campaigns | Microsoft Security Blog", "description": "", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:32:10.258000", "tags": [ "microsoft", "united", "latrodectus", "office", "pdf attachment", "qr code", "defender", "remcos", "guloader", "endpoint", "february", "asim", "rats", "hunt", "april", "service", "bazaloader", "icedid", "bumblebee", "installer", "looper", "screenshotter", "powershell", "download", "sentinel", "execution", "twitter" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 10, "email": 1, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ef1968f9c1c05c07ef00c0", "name": "InQuest - 03-04-2025", "description": "", "modified": "2025-05-03T23:03:06.090000", "created": "2025-04-03T23:27:36.140000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 533, "FileHash-MD5": 38, "URL": 728, "hostname": 134, "domain": 157, "FileHash-SHA1": 47 }, "indicator_count": 1637, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "week3.pdf", "https://labs.inquest.net/iocdb", "Sep week3.pdf", "https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/" ], "related": { "alienvault": { "adversary": [ "Storm-0249" ], "malware_families": [ "Ahkbot", "Latrodectus", "Guloader - s0561", "Bruteratel c4", "Remcos" ], "industries": [ "Consulting", "Information technology", "Finance", "Engineering" ], "unique_indicators": 24 }, "other": { "adversary": [ "Multiple", "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac" ], "malware_families": [], "industries": [], "unique_indicators": 3925 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rosenbaum.live", "whois": "http://whois.domaintools.com/rosenbaum.live", "domain": "rosenbaum.live", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "67eec31b26a9b5d94190be7d", "name": "Threat actors leverage tax season to deploy tax-themed phishing campaigns", "description": "Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid detection. They lead to phishing pages delivered via RaccoonO365 platform, remote access trojans like Remcos, and other malware such as Latrodectus, BruteRatel C4, AHKBot, and GuLoader. The campaigns target various sectors including engineering, IT, consulting, and accounting firms. Threat actors use social engineering techniques to mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. Microsoft provides detailed mitigation and protection guidance to help users and organizations defend against these tax-centric threats.", "modified": "2025-05-03T17:04:15.498000", "created": "2025-04-03T17:19:23.910000", "tags": [ "qr codes", "credential theft", "redirection", "remcos", "malware", "remote access trojans", "tax season", "ahkbot", "phishing", "guloader", "social engineering", "bruteratel c4", "latrodectus" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/" ], "public": 1, "adversary": "Storm-0249", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BruteRatel C4", "display_name": "BruteRatel C4", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "AHKBot", "display_name": "AHKBot", "target": null }, { "id": "GuLoader - S0561", "display_name": "GuLoader - S0561", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [ "Engineering", "Information Technology", "Consulting", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 2, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "domain": 8, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 377555, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f30d1e5f894bef93248ddd", "name": "InQuest - 06-04-2025", "description": "", "modified": "2025-05-06T23:04:02.399000", "created": "2025-04-06T23:24:14.704000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 100, "URL": 435, "domain": 113, "FileHash-SHA256": 614, "FileHash-SHA1": 26, "FileHash-MD5": 22 }, "indicator_count": 1310, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f1bbda9e928a3743d1c379", "name": "InQuest - 05-04-2025", "description": "", "modified": "2025-05-05T23:03:32.288000", "created": "2025-04-05T23:25:13.994000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 569, "FileHash-SHA256": 550, "domain": 150, "hostname": 107, "FileHash-SHA1": 39, "FileHash-MD5": 41 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "348 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f06bc5e8059cb562270235", "name": "InQuest - 04-04-2025", "description": "", "modified": "2025-05-04T23:03:41.880000", "created": "2025-04-04T23:31:17.659000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 659, "FileHash-SHA256": 572, "FileHash-SHA1": 30, "FileHash-MD5": 43, "hostname": 138, "domain": 135 }, "indicator_count": 1577, "is_author": false, "is_subscribing": null, "subscriber_count": 1602, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67f0186d608fe3e62ba938a4", "name": "Threat Actors Leverage Tax Season to Deploy Tax-Themed Phishing Campaigns", "description": "As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.", "modified": "2025-05-04T17:00:27.556000", "created": "2025-04-04T17:35:41.380000", "tags": [ "bruteratel c4", "RaccoonO365", "RATs", "phishing campaigns" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Catbug39", "id": "285054", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 4, "domain": 8, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67efa71aaa17b891ebcea467", "name": "Threat actors leverage tax season to deploy tax-themed phishing campaigns | Microsoft Security Blog", "description": "", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:32:10.258000", "tags": [ "microsoft", "united", "latrodectus", "office", "pdf attachment", "qr code", "defender", "remcos", "guloader", "endpoint", "february", "asim", "rats", "hunt", "april", "service", "bazaloader", "icedid", "bumblebee", "installer", "looper", "screenshotter", "powershell", "download", "sentinel", "execution", "twitter" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 10, "email": 1, "hostname": 3 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ef1968f9c1c05c07ef00c0", "name": "InQuest - 03-04-2025", "description": "", "modified": "2025-05-03T23:03:06.090000", "created": "2025-04-03T23:27:36.140000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 533, "FileHash-MD5": 38, "URL": 728, "hostname": 134, "domain": 157, "FileHash-SHA1": 47 }, "indicator_count": 1637, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rosenbaum.live/bars.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rosenbaum.live/bars.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630067.689358 }