{ "type": "URL", "indicator": "https://scan-tron.link/c", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://scan-tron.link/c", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329191433, "indicator": "https://scan-tron.link/c", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee244cac157501c666c1dd", "name": "omeone Is Stealing From the Stealers: A Backdoored Odyssey macOS Panel Leaks Operator Credentials to http://scan-tron.link.", "description": "A recent investigation revealed a sophisticated cyber threat involving the Odyssey macOS stealer panels, particularly highlighting a backdoored version that exfiltrates operator credentials without their knowledge. Security researchers tracked two panels operating on the same Kazakhstan subnet, discovering that one, specifically at the IP address 86.54.25.202, contains a 960-byte credential harvester embedded within its JavaScript bundle. This malicious addition intercepts the operator's login details each time they authenticate, sending the stolen credentials to a receiver at http://scan-tron.link. Meanwhile, the other panel at 86.54.25.204 is uninfected, running a slightly newer software version", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:42:20.057000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "odyssey panel", "odyssey", "goodtec", "latvia", "tls certificate", "js bundle", "subnet", "betrayal", "feature map", "api routes", "april", "telegram", "problem", "python", "nevada", "stealer", "amos", "turn", "odyssey stealer", "poseidon", "atomic macos", "waterhydra" ], "references": [ "https://intel.breakglass.tech/post/odyssey-macos-stealer-backdoored-panel-scan-tron-credential-harvester" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Atomic macOS", "display_name": "Atomic macOS", "target": null }, { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "WaterHydra", "display_name": "WaterHydra", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-SHA256": 2, "URL": 6, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://intel.breakglass.tech/post/odyssey-macos-stealer-backdoored-panel-scan-tron-credential-harvester", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [ "Atomic macos", "Odyssey", "Waterhydra" ], "industries": [], "unique_indicators": 1006 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/scan-tron.link", "whois": "http://whois.domaintools.com/scan-tron.link", "domain": "scan-tron.link", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee244cac157501c666c1dd", "name": "omeone Is Stealing From the Stealers: A Backdoored Odyssey macOS Panel Leaks Operator Credentials to http://scan-tron.link.", "description": "A recent investigation revealed a sophisticated cyber threat involving the Odyssey macOS stealer panels, particularly highlighting a backdoored version that exfiltrates operator credentials without their knowledge. Security researchers tracked two panels operating on the same Kazakhstan subnet, discovering that one, specifically at the IP address 86.54.25.202, contains a 960-byte credential harvester embedded within its JavaScript bundle. This malicious addition intercepts the operator's login details each time they authenticate, sending the stolen credentials to a receiver at http://scan-tron.link. Meanwhile, the other panel at 86.54.25.204 is uninfected, running a slightly newer software version", "modified": "2026-05-26T14:22:02.791000", "created": "2026-04-26T14:42:20.057000", "tags": [ "threat intelligence", "malware analysis", "c2 infrastructure", "apt campaigns", "iocs", "yara rules", "reverse engineering", "cybersecurity research", "odyssey panel", "odyssey", "goodtec", "latvia", "tls certificate", "js bundle", "subnet", "betrayal", "feature map", "api routes", "april", "telegram", "problem", "python", "nevada", "stealer", "amos", "turn", "odyssey stealer", "poseidon", "atomic macos", "waterhydra" ], "references": [ "https://intel.breakglass.tech/post/odyssey-macos-stealer-backdoored-panel-scan-tron-credential-harvester" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Atomic macOS", "display_name": "Atomic macOS", "target": null }, { "id": "Odyssey", "display_name": "Odyssey", "target": null }, { "id": "WaterHydra", "display_name": "WaterHydra", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-SHA256": 2, "URL": 6, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://scan-tron.link/c", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://scan-tron.link/c", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180275.517288 }