{ "type": "URL", "indicator": "https://seeceafcleaners.co.uk/cert.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://seeceafcleaners.co.uk/cert.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3842822726, "indicator": "https://seeceafcleaners.co.uk/cert.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "672d43d9f358a8035f893495", "name": "WINELOADER Analysis", "description": "APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file then downloads and executes the WINELOADER backdoor, which uses advanced evasion techniques such as DLL side-loading, encryption, and DLL hollowing. The malware communicates with command and control servers hosted on compromised websites, downloading additional modules and establishing persistence through scheduled tasks or registry keys. The campaign demonstrates APT29's focus on exploiting diplomatic relations between India and European nations, showcasing their advanced tactics and efforts to remain undetected.", "modified": "2024-11-08T10:18:33.883000", "created": "2024-11-07T22:48:57.602000", "tags": [ "modular", "cozy bear", "diplomats", "apt29", "dll side-loading", "wineloader", "evasion", "backdoor", "dll hollowing" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader" ], "public": 1, "adversary": "APT29 (Cozy Bear)", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 5, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387114, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e6ccbc861036abd5ead49a", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-05T07:41:48.253000", "created": "2024-03-05T07:41:48.253000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e47d5a098be052f60db2d2", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "820 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e548ca2f1cfaf3e6681d51", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-04T04:06:34.700000", "created": "2024-03-04T04:06:34.700000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e47d5a098be052f60db2d2", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "821 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e47d5a098be052f60db2d2", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-03T13:39:10.323000", "created": "2024-03-03T13:38:34.227000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e189dc8a293ac4dc5c78ab", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "822 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e189dc8a293ac4dc5c78ab", "name": "WINELOADER Analysis | ThreatLabz", "description": "", "modified": "2024-03-01T07:55:08.792000", "created": "2024-03-01T07:55:08.792000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "figure", "dll sideloading", "wineloader core", "dll hollowing", "february", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5, "domain": 4 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e16beec26f40b29227fe61", "name": "New Backdoor Targeting European Officials Linked to Indian Diplomatic Events", "description": "Hashes (SHA256) - 1.7 billion years old - have been released by the National Security Agency (NSA) to mark the 25th anniversary of the 9/11 attacks on the United States.", "modified": "2024-03-01T05:47:26.143000", "created": "2024-03-01T05:47:26.143000", "tags": [ "hashes", "sha256", "cyber", "threat", "march", "time", "crypto cyber", "defence" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 4, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader", "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader" ], "related": { "alienvault": { "adversary": [ "APT29 (Cozy Bear)" ], "malware_families": [ "Wineloader" ], "industries": [ "Government" ], "unique_indicators": 25 }, "other": { "adversary": [], "malware_families": [ "Wineloader" ], "industries": [ "Diplomatic" ], "unique_indicators": 18 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/seeceafcleaners.co.uk", "whois": "http://whois.domaintools.com/seeceafcleaners.co.uk", "domain": "seeceafcleaners.co.uk", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "672d43d9f358a8035f893495", "name": "WINELOADER Analysis", "description": "APT29, also known as Cozy Bear, has targeted European diplomats using a sophisticated multi-stage attack chain involving a new modular backdoor called WINELOADER. The attack begins with a fake PDF invitation to a wine-tasting event, which leads to the download of a malicious HTA file. This file then downloads and executes the WINELOADER backdoor, which uses advanced evasion techniques such as DLL side-loading, encryption, and DLL hollowing. The malware communicates with command and control servers hosted on compromised websites, downloading additional modules and establishing persistence through scheduled tasks or registry keys. The campaign demonstrates APT29's focus on exploiting diplomatic relations between India and European nations, showcasing their advanced tactics and efforts to remain undetected.", "modified": "2024-11-08T10:18:33.883000", "created": "2024-11-07T22:48:57.602000", "tags": [ "modular", "cozy bear", "diplomats", "apt29", "dll side-loading", "wineloader", "evasion", "backdoor", "dll hollowing" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-apt29-cozy-bear-wineloader" ], "public": 1, "adversary": "APT29 (Cozy Bear)", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 5, "domain": 3 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 387114, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e6ccbc861036abd5ead49a", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-05T07:41:48.253000", "created": "2024-03-05T07:41:48.253000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e47d5a098be052f60db2d2", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "820 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e548ca2f1cfaf3e6681d51", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-04T04:06:34.700000", "created": "2024-03-04T04:06:34.700000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e47d5a098be052f60db2d2", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "821 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e47d5a098be052f60db2d2", "name": "European diplomats targeted by SPIKEDWINE with WINELOADER", "description": "", "modified": "2024-03-03T13:39:10.323000", "created": "2024-03-03T13:38:34.227000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "dll sideloading", "wineloader core", "dll hollowing", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": "65e189dc8a293ac4dc5c78ab", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "822 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e189dc8a293ac4dc5c78ab", "name": "WINELOADER Analysis | ThreatLabz", "description": "", "modified": "2024-03-01T07:55:08.792000", "created": "2024-03-01T07:55:08.792000", "tags": [ "wineloader", "hta file", "rc4 key", "c2 server", "pdf file", "zip archive", "figure", "dll sideloading", "wineloader core", "dll hollowing", "february", "strings", "win64", "inject" ], "references": [ "https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WINELOADER", "display_name": "WINELOADER", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 5, "domain": 4 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e16beec26f40b29227fe61", "name": "New Backdoor Targeting European Officials Linked to Indian Diplomatic Events", "description": "Hashes (SHA256) - 1.7 billion years old - have been released by the National Security Agency (NSA) to mark the 25th anniversary of the 9/11 attacks on the United States.", "modified": "2024-03-01T05:47:26.143000", "created": "2024-03-01T05:47:26.143000", "tags": [ "hashes", "sha256", "cyber", "threat", "march", "time", "crypto cyber", "defence" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 4, "domain": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "824 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://seeceafcleaners.co.uk/cert.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://seeceafcleaners.co.uk/cert.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780497174.6934292 }