{ "type": "URL", "indicator": "https://screenai.online/Home/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://screenai.online/Home/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4126031079, "indicator": "https://screenai.online/Home/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "68b6b1b5ba004947dbc00475", "name": "CTI Analysis: Malicious Email Campaign", "description": "An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Microsoft Word attachments. The documents contained VBA macros that decoded and deployed malware payloads. The multi-wave operation targeted diplomatic and governmental entities across multiple regions, including the Middle East, Africa, Europe, Asia, and the Americas. The campaign utilized social engineering lures, anti-analysis techniques, and a reconnaissance-focused malware called sysProcUpdate. The attackers aimed to gain initial access, map internal networks, and prepare for further exploitation in diplomatic and industrial organizations.", "modified": "2025-09-02T09:12:14.558000", "created": "2025-09-02T08:58:29.355000", "tags": [ "reconnaissance", "diplomatic targets", "iran-nexus", "oman mfa", "anti-analysis", "spear-phishing", "vba macro" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "Homeland Justice", "targeted_countries": [ "Argentina", "Austria", "Bahrain", "Bangladesh", "Brazil", "Canada", "Colombia", "Ethiopia", "France", "Germany", "Hungary", "Israel", "Italy", "Japan", "Jordan", "Korea, Democratic People's Republic of", "Korea, Republic of", "Malawi", "Mongolia", "Netherlands", "Nigeria", "Oman", "Peru", "Qatar", "Romania", "Rwanda", "Spain", "Sweden", "Thailand" ], "malware_families": [ { "id": "sysProcUpdate", "display_name": "sysProcUpdate", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386942, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b8341cf36a23ab8e2ae539", "name": "dream", "description": "A report on a spear-phishing campaign targeting Oman's Ministry of Foreign Affairs (MFA) has been published by the European Union's Dream Security Research Centre (EU), based in London.", "modified": "2025-10-03T12:02:47.515000", "created": "2025-09-03T12:27:08.373000", "tags": [ "homeland justice", "modifications", "decode", "execute" ], "references": [ "https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Egypt", "Iran, Islamic Republic of", "Qatar", "United States of America", "Oman", "Ethiopia", "Nigeria", "Rwanda", "Malawi", "Italy", "France", "Romania", "Spain", "Netherlands", "Hungary", "Germany", "Austria", "Sweden", "Japan", "Korea, Republic of", "Thailand", "Bangladesh", "Mongolia", "Malta" ], "malware_families": [ { "id": "Homeland Justice", "display_name": "Homeland Justice", "target": null }, { "id": "Modifications", "display_name": "Modifications", "target": null }, { "id": "Decode", "display_name": "Decode", "target": null }, { "id": "Execute", "display_name": "Execute", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [ "Diplomatic", "Foreign Affairs", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "URL": 1, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b69dbd86479339e34aa634", "name": "Malicious Campaign Targeting Diplomatic Assets by the Iranian Ministry of Intelligence and Security", "description": "A report on a spear-phishing campaign targeting Oman's Ministry of Foreign Affairs (MFA) has been published by the European Union's Dream Security Research Centre (EU), based in London.", "modified": "2025-10-02T07:01:13.233000", "created": "2025-09-02T07:33:17.030000", "tags": [ "homeland justice", "modifications", "decode", "execute" ], "references": [ "https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Egypt", "Iran, Islamic Republic of", "Qatar", "United States of America", "Oman", "Ethiopia", "Nigeria", "Rwanda", "Malawi", "Italy", "France", "Romania", "Spain", "Netherlands", "Hungary", "Germany", "Austria", "Sweden", "Japan", "Korea, Republic of", "Thailand", "Bangladesh", "Mongolia", "Malta" ], "malware_families": [ { "id": "Homeland Justice", "display_name": "Homeland Justice", "target": null }, { "id": "Modifications", "display_name": "Modifications", "target": null }, { "id": "Decode", "display_name": "Decode", "target": null }, { "id": "Execute", "display_name": "Execute", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [ "Diplomatic", "Foreign Affairs", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "URL": 1, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b85ddfd22106c207329e2b", "name": "CTI Analysis: Malicious Email Campaign", "description": "Iran-Nexus Spear phishing Campaign Masquerades as Omani MFA to Target Global Governments.\nIn August 2025, as part of Dream\u2019s threat intelligence agents\u2019 ongoing monitoring of cyber activity, a spear-phishing campaign was identified leveraging a compromised mailbox of the Ministry of Foreign Affairs of Oman based on a tweet\n\nBased on a forensic investigation, we attribute this campaign to Iranian-aligned operators connected to broader offensive cyber activity led by the Homeland Justice group associated with MOIS (Ministry of Intelligence and Security of Iran).\n\nEmails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication. The emails contained a malicious Microsoft Word attachment with a disguised registration form. The document embedded encoded content as numerical sequences, which were decoded using embedded VBA macro code. When executed, the macro converted each sequence of three numbers into ASCII characters, reconstructing and deploying the malware payload.", "modified": "2025-09-03T15:25:22.269000", "created": "2025-09-03T15:25:19.524000", "tags": [ "ministry", "spear phishing", "mois", "Homeland Justice Group", "middle east" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "", "targeted_countries": [ "Oman", "Bahrain", "Israel", "Jordan", "Canada", "Brazil", "Colombia", "Peru", "Argentina", "Ethiopia", "Iran, Islamic Republic of", "Rwanda", "Italy", "France", "Romania", "Spain", "Hungary", "Germany", "Japan", "Thailand", "Korea, Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Catbug39", "id": "285054", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "272 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b7b34cfc61fd88e3e43d8b", "name": "IOC - CTI Analysis: Malicious Email Campaign", "description": "", "modified": "2025-09-03T03:17:32.028000", "created": "2025-09-03T03:17:32.028000", "tags": [ "reconnaissance", "diplomatic targets", "iran-nexus", "oman mfa", "anti-analysis", "spear-phishing", "vba macro" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "Homeland Justice", "targeted_countries": [ "Argentina", "Austria", "Bahrain", "Bangladesh", "Brazil", "Canada", "Colombia", "Ethiopia", "France", "Germany", "Hungary", "Israel", "Italy", "Japan", "Jordan", "Korea, Democratic People's Republic of", "Korea, Republic of", "Malawi", "Mongolia", "Netherlands", "Nigeria", "Oman", "Peru", "Qatar", "Romania", "Rwanda", "Spain", "Sweden", "Thailand" ], "malware_families": [ { "id": "sysProcUpdate", "display_name": "sysProcUpdate", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "68b6b1b5ba004947dbc00475", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "272 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "week1.pdf", "https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf", "https://dreamgroup.com/blog-cti/" ], "related": { "alienvault": { "adversary": [ "Homeland Justice" ], "malware_families": [ "Sysprocupdate" ], "industries": [ "Government" ], "unique_indicators": 15 }, "other": { "adversary": [ "Multiple", "Homeland Justice" ], "malware_families": [ "Sysprocupdate", "Execute", "Homeland justice", "Modifications", "Decode" ], "industries": [ "Government", "Energy", "Diplomatic", "Foreign affairs" ], "unique_indicators": 921 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/screenai.online", "whois": "http://whois.domaintools.com/screenai.online", "domain": "screenai.online", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "68b6b1b5ba004947dbc00475", "name": "CTI Analysis: Malicious Email Campaign", "description": "An Iran-nexus spear-phishing campaign masquerading as the Omani Ministry of Foreign Affairs targeted global governments in August 2025. Attributed to Iranian-aligned operators linked to the Homeland Justice group and MOIS, the campaign used compromised mailboxes to send emails with malicious Microsoft Word attachments. The documents contained VBA macros that decoded and deployed malware payloads. The multi-wave operation targeted diplomatic and governmental entities across multiple regions, including the Middle East, Africa, Europe, Asia, and the Americas. The campaign utilized social engineering lures, anti-analysis techniques, and a reconnaissance-focused malware called sysProcUpdate. The attackers aimed to gain initial access, map internal networks, and prepare for further exploitation in diplomatic and industrial organizations.", "modified": "2025-09-02T09:12:14.558000", "created": "2025-09-02T08:58:29.355000", "tags": [ "reconnaissance", "diplomatic targets", "iran-nexus", "oman mfa", "anti-analysis", "spear-phishing", "vba macro" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "Homeland Justice", "targeted_countries": [ "Argentina", "Austria", "Bahrain", "Bangladesh", "Brazil", "Canada", "Colombia", "Ethiopia", "France", "Germany", "Hungary", "Israel", "Italy", "Japan", "Jordan", "Korea, Democratic People's Republic of", "Korea, Republic of", "Malawi", "Mongolia", "Netherlands", "Nigeria", "Oman", "Peru", "Qatar", "Romania", "Rwanda", "Spain", "Sweden", "Thailand" ], "malware_families": [ { "id": "sysProcUpdate", "display_name": "sysProcUpdate", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386942, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b8341cf36a23ab8e2ae539", "name": "dream", "description": "A report on a spear-phishing campaign targeting Oman's Ministry of Foreign Affairs (MFA) has been published by the European Union's Dream Security Research Centre (EU), based in London.", "modified": "2025-10-03T12:02:47.515000", "created": "2025-09-03T12:27:08.373000", "tags": [ "homeland justice", "modifications", "decode", "execute" ], "references": [ "https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Egypt", "Iran, Islamic Republic of", "Qatar", "United States of America", "Oman", "Ethiopia", "Nigeria", "Rwanda", "Malawi", "Italy", "France", "Romania", "Spain", "Netherlands", "Hungary", "Germany", "Austria", "Sweden", "Japan", "Korea, Republic of", "Thailand", "Bangladesh", "Mongolia", "Malta" ], "malware_families": [ { "id": "Homeland Justice", "display_name": "Homeland Justice", "target": null }, { "id": "Modifications", "display_name": "Modifications", "target": null }, { "id": "Decode", "display_name": "Decode", "target": null }, { "id": "Execute", "display_name": "Execute", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [ "Diplomatic", "Foreign Affairs", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "URL": 1, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b69dbd86479339e34aa634", "name": "Malicious Campaign Targeting Diplomatic Assets by the Iranian Ministry of Intelligence and Security", "description": "A report on a spear-phishing campaign targeting Oman's Ministry of Foreign Affairs (MFA) has been published by the European Union's Dream Security Research Centre (EU), based in London.", "modified": "2025-10-02T07:01:13.233000", "created": "2025-09-02T07:33:17.030000", "tags": [ "homeland justice", "modifications", "decode", "execute" ], "references": [ "https://dreamgroup.com/wp-content/uploads/2025/08/Dream_CTI_Analysis_Malicious_Campaign_by_MOIS_Targeting_Diplomatic_Assets.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Egypt", "Iran, Islamic Republic of", "Qatar", "United States of America", "Oman", "Ethiopia", "Nigeria", "Rwanda", "Malawi", "Italy", "France", "Romania", "Spain", "Netherlands", "Hungary", "Germany", "Austria", "Sweden", "Japan", "Korea, Republic of", "Thailand", "Bangladesh", "Mongolia", "Malta" ], "malware_families": [ { "id": "Homeland Justice", "display_name": "Homeland Justice", "target": null }, { "id": "Modifications", "display_name": "Modifications", "target": null }, { "id": "Decode", "display_name": "Decode", "target": null }, { "id": "Execute", "display_name": "Execute", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" } ], "industries": [ "Diplomatic", "Foreign Affairs", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "URL": 1, "domain": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b85ddfd22106c207329e2b", "name": "CTI Analysis: Malicious Email Campaign", "description": "Iran-Nexus Spear phishing Campaign Masquerades as Omani MFA to Target Global Governments.\nIn August 2025, as part of Dream\u2019s threat intelligence agents\u2019 ongoing monitoring of cyber activity, a spear-phishing campaign was identified leveraging a compromised mailbox of the Ministry of Foreign Affairs of Oman based on a tweet\n\nBased on a forensic investigation, we attribute this campaign to Iranian-aligned operators connected to broader offensive cyber activity led by the Homeland Justice group associated with MOIS (Ministry of Intelligence and Security of Iran).\n\nEmails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication. The emails contained a malicious Microsoft Word attachment with a disguised registration form. The document embedded encoded content as numerical sequences, which were decoded using embedded VBA macro code. When executed, the macro converted each sequence of three numbers into ASCII characters, reconstructing and deploying the malware payload.", "modified": "2025-09-03T15:25:22.269000", "created": "2025-09-03T15:25:19.524000", "tags": [ "ministry", "spear phishing", "mois", "Homeland Justice Group", "middle east" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "", "targeted_countries": [ "Oman", "Bahrain", "Israel", "Jordan", "Canada", "Brazil", "Colombia", "Peru", "Argentina", "Ethiopia", "Iran, Islamic Republic of", "Rwanda", "Italy", "France", "Romania", "Spain", "Hungary", "Germany", "Japan", "Thailand", "Korea, Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Catbug39", "id": "285054", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "272 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68b7b34cfc61fd88e3e43d8b", "name": "IOC - CTI Analysis: Malicious Email Campaign", "description": "", "modified": "2025-09-03T03:17:32.028000", "created": "2025-09-03T03:17:32.028000", "tags": [ "reconnaissance", "diplomatic targets", "iran-nexus", "oman mfa", "anti-analysis", "spear-phishing", "vba macro" ], "references": [ "https://dreamgroup.com/blog-cti/" ], "public": 1, "adversary": "Homeland Justice", "targeted_countries": [ "Argentina", "Austria", "Bahrain", "Bangladesh", "Brazil", "Canada", "Colombia", "Ethiopia", "France", "Germany", "Hungary", "Israel", "Italy", "Japan", "Jordan", "Korea, Democratic People's Republic of", "Korea, Republic of", "Malawi", "Mongolia", "Netherlands", "Nigeria", "Oman", "Peru", "Qatar", "Romania", "Rwanda", "Spain", "Sweden", "Thailand" ], "malware_families": [ { "id": "sysProcUpdate", "display_name": "sysProcUpdate", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "68b6b1b5ba004947dbc00475", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 13, "URL": 1, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "272 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://screenai.online/Home/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://screenai.online/Home/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780426714.6494796 }