{ "type": "URL", "indicator": "https://rtattack.baqebei1.online/df/tt", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://rtattack.baqebei1.online/df/tt", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3874723888, "indicator": "https://rtattack.baqebei1.online/df/tt", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "66701c99b54ffc9a9507ce00", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers. Despite requiring significant user interaction, the clever social engineering presents an apparent problem and solution simultaneously, prompting users to act without considering the risks.", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-17T11:23:05.186000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 383, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ba2c2ebf0cd354784a15fd", "name": "Clipboard to Compromise: PowerShell Script Self-Pwn | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, at the same time as the company's US headquarters in New York. \u00c2\u00a31.5m ($2.3m)", "modified": "2025-03-24T19:03:26.922000", "created": "2025-02-22T19:57:34.393000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav", "lumma", "vidar", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "TA571", "display_name": "TA571", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667425ce4a185bfbe4e56e26", "name": "Malware Disguised as PowerShell Root Certificate Fixes", "description": "A complete list of key information on the cyber security threats facing the world, as compiled by the International Institute of Strategic Studies (IoC), from 20 June 2024 to 20 July 2024..", "modified": "2024-07-20T12:00:12.902000", "created": "2024-06-20T12:51:26.249000", "tags": [ "classification", "compromise", "urls", "cyber", "threat", "june", "time", "crypto cyber", "defence", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 6, "domain": 40, "hostname": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6670f504c1b637e615dd5624", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from cyber threats and attacks at a cost of $2bn (\u00c2\u00a31.3bn) in total.", "modified": "2024-07-18T02:03:46.172000", "created": "2024-06-18T02:46:28.768000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav", "lumma", "vidar", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "TA571", "display_name": "TA571", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66702101e95965aff5af64a3", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint US", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-17T11:41:53.555000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6678f7baefbe6b659fda56d0", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-24T04:36:10.480000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66701c99b54ffc9a9507ce00", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667a6157d714f52b96478c3a", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-25T06:19:03.100000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "6678f7baefbe6b659fda56d0", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667258d001edc431fa7d7345", "name": "Fake Errors Used to Trick Users into Installing Malicious Scripts", "description": "", "modified": "2024-06-19T04:04:32.877000", "created": "2024-06-19T04:04:32.877000", "tags": [ "hashes", "sha256", "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 6, "domain": 4, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "related": { "alienvault": { "adversary": [ "TA571" ], "malware_families": [ "Netsupport", "Darkgate", "Jaskago", "Vidar stealer", "Lumma stealer", "Xmrig", "Amadey loader", "Matanbuchus" ], "industries": [], "unique_indicators": 14 }, "other": { "adversary": [ "TA571" ], "malware_families": [ "Netsupport", "Darkgate", "Jaskago", "Clearfake", "Vidar stealer", "Lumma", "Vidar", "Lumma stealer", "Xmrig", "Amadey loader", "Matanbuchus", "Ta571" ], "industries": [ "Government", "Higher education" ], "unique_indicators": 996 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/baqebei1.online", "whois": "http://whois.domaintools.com/baqebei1.online", "domain": "baqebei1.online", "hostname": "rtattack.baqebei1.online" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "66701c99b54ffc9a9507ce00", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers. Despite requiring significant user interaction, the clever social engineering presents an apparent problem and solution simultaneously, prompting users to act without considering the risks.", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-17T11:23:05.186000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 383, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67ba2c2ebf0cd354784a15fd", "name": "Clipboard to Compromise: PowerShell Script Self-Pwn | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, at the same time as the company's US headquarters in New York. \u00c2\u00a31.5m ($2.3m)", "modified": "2025-03-24T19:03:26.922000", "created": "2025-02-22T19:57:34.393000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav", "lumma", "vidar", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "TA571", "display_name": "TA571", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667425ce4a185bfbe4e56e26", "name": "Malware Disguised as PowerShell Root Certificate Fixes", "description": "A complete list of key information on the cyber security threats facing the world, as compiled by the International Institute of Strategic Studies (IoC), from 20 June 2024 to 20 July 2024..", "modified": "2024-07-20T12:00:12.902000", "created": "2024-06-20T12:51:26.249000", "tags": [ "classification", "compromise", "urls", "cyber", "threat", "june", "time", "crypto cyber", "defence", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 6, "domain": 40, "hostname": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "679 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6670f504c1b637e615dd5624", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and business from cyber threats and attacks at a cost of $2bn (\u00c2\u00a31.3bn) in total.", "modified": "2024-07-18T02:03:46.172000", "created": "2024-06-18T02:46:28.768000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav", "lumma", "vidar", "netsupport" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "TA571", "display_name": "TA571", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Higher Education" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66702101e95965aff5af64a3", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn | Proofpoint US", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-17T11:41:53.555000", "tags": [ "powershell", "ta571", "proofpoint", "clearfake", "html", "html attachment", "button", "darkgate", "clickfix", "run dialogue", "matanbuchus", "april", "june", "lumma stealer", "amadey", "hijackloader", "webdav" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "domain": 7, "email": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6678f7baefbe6b659fda56d0", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-24T04:36:10.480000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66701c99b54ffc9a9507ce00", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667a6157d714f52b96478c3a", "name": "From Clipboard to Compromise: A PowerShell Self-Pwn", "description": "", "modified": "2024-07-17T11:06:09.564000", "created": "2024-06-25T06:19:03.100000", "tags": [ "malicious script", "darkgate", "matanbuchus", "netsupport", "compromise", "malware", "lumma stealer", "powershell", "amadey loader", "vidar stealer", "xmrig", "social engineering", "jaskago" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" ], "public": 1, "adversary": "TA571", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "Amadey Loader", "display_name": "Amadey Loader", "target": null }, { "id": "XMRig", "display_name": "XMRig", "target": null }, { "id": "JaskaGO", "display_name": "JaskaGO", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1028", "name": "Windows Remote Management", "display_name": "T1028 - Windows Remote Management" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "6678f7baefbe6b659fda56d0", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 9, "email": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667258d001edc431fa7d7345", "name": "Fake Errors Used to Trick Users into Installing Malicious Scripts", "description": "", "modified": "2024-06-19T04:04:32.877000", "created": "2024-06-19T04:04:32.877000", "tags": [ "hashes", "sha256", "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 6, "domain": 4, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "711 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://rtattack.baqebei1.online/df/tt", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://rtattack.baqebei1.online/df/tt", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780200846.4912844 }