{ "type": "URL", "indicator": "https://sl.008php.com/kt.html", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sl.008php.com/kt.html", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4133796092, "indicator": "https://sl.008php.com/kt.html", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68d50979e4d5d3cea426e8e4", "name": "Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign", "description": "A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-25T09:20:57.422000", "tags": [ "dragonrank", "iis module", "seo poisoning", "group 9", "chinese-speaking", "vietnam", "web shells", "badiis" ], "references": [ "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign" ], "public": 1, "adversary": "CL-UNK-1037", "targeted_countries": [], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 30, "domain": 2, "hostname": 15 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 377607, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d4fd6717c7ef593cca31ef", "name": "Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign", "description": "Chinese-speaking hackers are carrying out a wide-scale search engine poisoning campaign, according to research by Palo Alto Networks and ESET researchers in the third unit of the \u00c2\u00a31.3bn Security Research Centre.", "modified": "2025-10-25T08:03:14.175000", "created": "2025-09-25T08:29:27.402000", "tags": [ "group", "c2 server", "badiis", "badiis module", "dragonrank", "seo poisoning", "eset", "http request", "iis module", "urls", "first", "alliance", "malware", "asp.net", "php" ], "references": [ "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SEO Poisoning", "display_name": "SEO Poisoning", "target": null }, { "id": "ASP.NET", "display_name": "ASP.NET", "target": null }, { "id": "DragonRank", "display_name": "DragonRank", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "CVE": 1, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 30, "domain": 2, "hostname": 15 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/", "week3.pdf", "Sep week3.pdf", "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign" ], "related": { "alienvault": { "adversary": [ "CL-UNK-1037" ], "malware_families": [ "Badiis" ], "industries": [], "unique_indicators": 127 }, "other": { "adversary": [ "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "Multiple" ], "malware_families": [ "Php", "Dragonrank", "Seo poisoning", "Asp.net" ], "industries": [ "Government" ], "unique_indicators": 1533 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/008php.com", "whois": "http://whois.domaintools.com/008php.com", "domain": "008php.com", "hostname": "sl.008php.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68d50979e4d5d3cea426e8e4", "name": "Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign", "description": "A Chinese-speaking threat actor group, tracked as CL-UNK-1037, has been conducting a large-scale SEO poisoning campaign called Operation Rewrite. The attackers use a malicious IIS module named BadIIS to intercept and alter web traffic on compromised servers, manipulating search engine results to redirect users to malicious sites. The campaign primarily targets East and Southeast Asia, with a focus on Vietnam. The attackers employ various tools including native IIS modules, ASP.NET handlers, and PHP scripts. The operation shows links to previously known threat groups like Group 9 and possibly DragonRank. The campaign demonstrates sophisticated techniques for search result manipulation and traffic redirection, posing significant risks to unsuspecting internet users.", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-25T09:20:57.422000", "tags": [ "dragonrank", "iis module", "seo poisoning", "group 9", "chinese-speaking", "vietnam", "web shells", "badiis" ], "references": [ "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign" ], "public": 1, "adversary": "CL-UNK-1037", "targeted_countries": [], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1598.003", "name": "Spearphishing Link", "display_name": "T1598.003 - Spearphishing Link" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 30, "domain": 2, "hostname": 15 }, "indicator_count": 124, "is_author": false, "is_subscribing": null, "subscriber_count": 377607, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68cc8aefbfff4e83cfc4fa34", "name": "EbeeSep2025 Pt4", "description": "", "modified": "2025-12-04T06:44:19.596000", "created": "2025-09-18T22:42:55.965000", "tags": [], "references": [ "Sep week3.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 242, "FileHash-SHA256": 323, "URL": 70, "domain": 80, "email": 4, "hostname": 9 }, "indicator_count": 944, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d520941e7d25721aa23329", "name": "EbeeSep2025 Pt5", "description": "", "modified": "2025-12-04T06:43:22.018000", "created": "2025-09-25T10:59:32.609000", "tags": [], "references": [ "week3.pdf" ], "public": 1, "adversary": "RaccoonO365, Storm-2246, GentleMen, EggStreme Malware, Shai-Hulud Campaign, AI-Driven Phishing Attac", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 169, "FileHash-MD5": 136, "FileHash-SHA1": 151, "FileHash-SHA256": 196, "domain": 90, "hostname": 176, "email": 2 }, "indicator_count": 920, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "136 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d4fd6717c7ef593cca31ef", "name": "Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign", "description": "Chinese-speaking hackers are carrying out a wide-scale search engine poisoning campaign, according to research by Palo Alto Networks and ESET researchers in the third unit of the \u00c2\u00a31.3bn Security Research Centre.", "modified": "2025-10-25T08:03:14.175000", "created": "2025-09-25T08:29:27.402000", "tags": [ "group", "c2 server", "badiis", "badiis module", "dragonrank", "seo poisoning", "eset", "http request", "iis module", "urls", "first", "alliance", "malware", "asp.net", "php" ], "references": [ "https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SEO Poisoning", "display_name": "SEO Poisoning", "target": null }, { "id": "ASP.NET", "display_name": "ASP.NET", "target": null }, { "id": "DragonRank", "display_name": "DragonRank", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "CVE": 1, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 30, "domain": 2, "hostname": 15 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sl.008php.com/kt.html", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sl.008php.com/kt.html", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776662297.401815 }