{ "type": "URL", "indicator": "https://sentinelonepro.com:443", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sentinelonepro.com:443", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4359006379, "indicator": "https://sentinelonepro.com:443", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a0d96aadcfeadab9eea10d0", "name": "APT Targets Azerbaijani Oil and Gas Industry", "description": "A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...", "modified": "2026-05-21T16:01:35.468000", "created": "2026-05-20T11:10:34.831000", "tags": [ "FamousSparrow", "Earth Estries", "Deed RAT", "Terndoor", "DLL sideloading", "Azerbaijan", "energy sector", "Chinese APT", "Exchange exploitation" ], "references": [ "https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "Azerbaijan" ], "malware_families": [ { "id": "Deed RAT", "display_name": "Deed RAT", "target": null }, { "id": "Terndoor", "display_name": "Terndoor", "target": null }, { "id": "Mofu", "display_name": "Mofu", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 3, "URL": 2, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1283d8233c5c395554dc5c", "name": "APT Targets Azerbaijani Oil and Gas Industry", "description": "", "modified": "2026-05-24T04:51:36.435000", "created": "2026-05-24T04:51:36.435000", "tags": [ "FamousSparrow", "Earth Estries", "Deed RAT", "Terndoor", "DLL sideloading", "Azerbaijan", "energy sector", "Chinese APT", "Exchange exploitation" ], "references": [ "https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "Azerbaijan" ], "malware_families": [ { "id": "Deed RAT", "display_name": "Deed RAT", "target": null }, { "id": "Terndoor", "display_name": "Terndoor", "target": null }, { "id": "Mofu", "display_name": "Mofu", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "6a0d96aadcfeadab9eea10d0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 3, "URL": 2, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry", "IOCs-MAY2.csv" ], "related": { "alienvault": { "adversary": [ "GhostEmperor" ], "malware_families": [ "Deed rat", "Mofu", "Terndoor" ], "industries": [ "Energy" ], "unique_indicators": 11 }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "GhostEmperor" ], "malware_families": [ "Deed rat", "Mofu", "Terndoor" ], "industries": [ "Energy" ], "unique_indicators": 946 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sentinelonepro.com", "whois": "http://whois.domaintools.com/sentinelonepro.com", "domain": "sentinelonepro.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a0d96aadcfeadab9eea10d0", "name": "APT Targets Azerbaijani Oil and Gas Industry", "description": "A sophisticated multi-wave intrusion campaign targeted an Azerbaijani oil and gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence to the Chinese APT group FamousSparrow. The operation exploited unpatched Microsoft Exchange servers via ProxyShell and ProxyNotShell vulnerabilities to establish initial access. Attackers deployed two distinct backdoor families - Deed RAT and Terndoor - across three separate waves, demonstrating operational persistence by repeatedly exploiting the same entry point despite remediation attempts. Technical analysis revealed an evolved DLL sideloading technique using a two-stage trigger mechanism that gates execution through legitimate application control flow, effectively evading automated sandbox analysis. The campaign extended FamousSparrow's known targeting to South Caucasus energy infrastructure, coinciding with Azerbaijan's increased strategic importance to European energy security following disruptions in Russian and Mi...", "modified": "2026-05-21T16:01:35.468000", "created": "2026-05-20T11:10:34.831000", "tags": [ "FamousSparrow", "Earth Estries", "Deed RAT", "Terndoor", "DLL sideloading", "Azerbaijan", "energy sector", "Chinese APT", "Exchange exploitation" ], "references": [ "https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "Azerbaijan" ], "malware_families": [ { "id": "Deed RAT", "display_name": "Deed RAT", "target": null }, { "id": "Terndoor", "display_name": "Terndoor", "target": null }, { "id": "Mofu", "display_name": "Mofu", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 3, "URL": 2, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1283d8233c5c395554dc5c", "name": "APT Targets Azerbaijani Oil and Gas Industry", "description": "", "modified": "2026-05-24T04:51:36.435000", "created": "2026-05-24T04:51:36.435000", "tags": [ "FamousSparrow", "Earth Estries", "Deed RAT", "Terndoor", "DLL sideloading", "Azerbaijan", "energy sector", "Chinese APT", "Exchange exploitation" ], "references": [ "https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry" ], "public": 1, "adversary": "GhostEmperor", "targeted_countries": [ "Azerbaijan" ], "malware_families": [ { "id": "Deed RAT", "display_name": "Deed RAT", "target": null }, { "id": "Terndoor", "display_name": "Terndoor", "target": null }, { "id": "Mofu", "display_name": "Mofu", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "6a0d96aadcfeadab9eea10d0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 3, "URL": 2, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sentinelonepro.com:443", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sentinelonepro.com:443", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780200090.6213417 }