{ "type": "URL", "indicator": "https://rpc.payload.de", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rpc.payload.de", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4160270573, "indicator": "https://rpc.payload.de", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69395510912ec76473ed9501", "name": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig", "description": "", "modified": "2026-01-09T11:02:53.662000", "created": "2025-12-10T11:10:08.734000", "tags": [ "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6938f3d717ae870f6a4b1515", "name": "DPRK\u2019s New Weapon EtherRAT Uses Smart Contracts to Outsmart Defenders", "description": "Our analysis of an EtherRAT implant shows that the network's infrastructure is vulnerable to a malicious strain of the Ethereum virtual currency, also known as Ether RAT, which can be hijacked and used to steal money.", "modified": "2026-01-09T03:03:15.683000", "created": "2025-12-10T04:15:19.613000", "tags": [ "type value", "etherrat note", "iocs", "staging server", "payload url", "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt", "lazarus", "threat intelligence", "beavertail", "javascript" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Beavertail", "Threat intelligence", "Javascript" ], "industries": [], "unique_indicators": 572 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/payload.de", "whois": "http://whois.domaintools.com/payload.de", "domain": "payload.de", "hostname": "rpc.payload.de" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69395510912ec76473ed9501", "name": "EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig", "description": "", "modified": "2026-01-09T11:02:53.662000", "created": "2025-12-10T11:10:08.734000", "tags": [ "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6938f3d717ae870f6a4b1515", "name": "DPRK\u2019s New Weapon EtherRAT Uses Smart Contracts to Outsmart Defenders", "description": "Our analysis of an EtherRAT implant shows that the network's infrastructure is vulnerable to a malicious strain of the Ethereum virtual currency, also known as Ether RAT, which can be hijacked and used to steal money.", "modified": "2026-01-09T03:03:15.683000", "created": "2025-12-10T04:15:19.613000", "tags": [ "type value", "etherrat note", "iocs", "staging server", "payload url", "etherrat", "react2shell", "dprk", "december", "cve202555182", "rscs", "sysdig trt", "cobalt strike", "stage", "ethereum rpc", "sliver", "powershell", "vshell", "xmrig", "shell", "hunt", "lazarus", "threat intelligence", "beavertail", "javascript" ], "references": [ "https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "CVE": 1, "domain": 2, "hostname": 9 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "141 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rpc.payload.de", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rpc.payload.de", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180172.5207233 }