{ "type": "URL", "indicator": "https://sciecdn.cfd/gone-2.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sciecdn.cfd/gone-2.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4076207944, "indicator": "https://sciecdn.cfd/gone-2.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "684cb2edbc0cefd5ef2fdd46", "name": "Don't Get Caught in the Headlights - DeerStealer Analysis", "description": "In May 2025, threat actors increasingly attempted to download and execute a sophisticated malware known as HijackLoader, often using DeerStealer\u2014an information-stealer marketed on dark-web forums by the user \"LuciferXfiles\"\u2014as the final payload. The primary access method observed in these attack chains is called ClickFix, which exploits users by redirecting them to phishing pages prompting the execution of malicious commands in the Windows Run Prompt. The initial sequence involves loading an unsigned version of a legitimate DLL named \"cmdres.dll,\" which has been manipulated to facilitate the execution of HijackLoader.", "modified": "2025-06-13T23:23:25.424000", "created": "2025-06-13T23:23:25.424000", "tags": [ "deerstealer c2", "deerstealer", "dropper", "hijackloader", "hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 24, "domain": 14, "hostname": 3 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "352 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Technology" ], "unique_indicators": 52 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sciecdn.cfd", "whois": "http://whois.domaintools.com/sciecdn.cfd", "domain": "sciecdn.cfd", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "684cb2edbc0cefd5ef2fdd46", "name": "Don't Get Caught in the Headlights - DeerStealer Analysis", "description": "In May 2025, threat actors increasingly attempted to download and execute a sophisticated malware known as HijackLoader, often using DeerStealer\u2014an information-stealer marketed on dark-web forums by the user \"LuciferXfiles\"\u2014as the final payload. The primary access method observed in these attack chains is called ClickFix, which exploits users by redirecting them to phishing pages prompting the execution of malicious commands in the Windows Run Prompt. The initial sequence involves loading an unsigned version of a legitimate DLL named \"cmdres.dll,\" which has been manipulated to facilitate the execution of HijackLoader.", "modified": "2025-06-13T23:23:25.424000", "created": "2025-06-13T23:23:25.424000", "tags": [ "deerstealer c2", "deerstealer", "dropper", "hijackloader", "hash" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.003", "name": "Distributed Component Object Model", "display_name": "T1021.003 - Distributed Component Object Model" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 24, "domain": 14, "hostname": 3 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "352 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sciecdn.cfd/gone-2.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sciecdn.cfd/gone-2.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780331558.3305228 }