{ "type": "URL", "indicator": "https://rt-guard.com/updates/KB80164432", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rt-guard.com/updates/KB80164432", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4148407167, "indicator": "https://rt-guard.com/updates/KB80164432", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69150258762bfa0fdab9ec05", "name": "Backdoor malware with a legitimate signature is being distributed disguised as a Steam cleanup tool.", "description": "A new distribution of backdoor malware has emerged, masquerading as a legitimate application known as \"SteamCleaner,\" which is marketed as a cleanup tool for the Steam gaming platform. This malware leverages a valid digital signature to enhance its credibility and avoid detection, allowing it to infiltrate user systems more effectively.\n\nOnce installed, the malicious software introduces a Node.js script that operates on the compromised machine. This script establishes periodic communication with a command and control (C2) server, enabling the threat actors to execute various commands remotely. The backdoor functionality of this malware poses significant risks, as it allows for unauthorized access and control over the user's system, potentially leading to further exploitation or data theft.", "modified": "2025-11-12T21:55:36.730000", "created": "2025-11-12T21:55:36.730000", "tags": [ "proxyware", "steamcleaner", "powershell", "asec", "github", "json", "agentversion", "uuid", "4tressx", "steam", "atip", "url https" ], "references": [ "https://asec.ahnlab.com/ko/90915/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "201 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://asec.ahnlab.com/ko/90915/", "Nov.Week2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu" ], "malware_families": [], "industries": [], "unique_indicators": 1631 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rt-guard.com", "whois": "http://whois.domaintools.com/rt-guard.com", "domain": "rt-guard.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69150258762bfa0fdab9ec05", "name": "Backdoor malware with a legitimate signature is being distributed disguised as a Steam cleanup tool.", "description": "A new distribution of backdoor malware has emerged, masquerading as a legitimate application known as \"SteamCleaner,\" which is marketed as a cleanup tool for the Steam gaming platform. This malware leverages a valid digital signature to enhance its credibility and avoid detection, allowing it to infiltrate user systems more effectively.\n\nOnce installed, the malicious software introduces a Node.js script that operates on the compromised machine. This script establishes periodic communication with a command and control (C2) server, enabling the threat actors to execute various commands remotely. The backdoor functionality of this malware poses significant risks, as it allows for unauthorized access and control over the user's system, potentially leading to further exploitation or data theft.", "modified": "2025-11-12T21:55:36.730000", "created": "2025-11-12T21:55:36.730000", "tags": [ "proxyware", "steamcleaner", "powershell", "asec", "github", "json", "agentversion", "uuid", "4tressx", "steam", "atip", "url https" ], "references": [ "https://asec.ahnlab.com/ko/90915/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-MD5": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "201 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rt-guard.com/updates/KB80164432", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rt-guard.com/updates/KB80164432", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780419540.1221447 }