{ "type": "URL", "indicator": "https://smplu.link/dockerzero.", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://smplu.link/dockerzero.", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4201391969, "indicator": "https://smplu.link/dockerzero.", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69931d7b5ba26f878ccbdc85", "name": "AI/LLM-Generated Malware Used to Exploit React2Shell", "description": "Recent observations from Darktrace's honeypot network, \"CloudyPots,\" highlight the use of AI-generated malware exploiting vulnerable Docker environments, specifically the Docker daemon exposed without authentication. This configuration allows attackers to discover the daemon and create containers through the Docker API, establishing initial access to the system.\n\nThe central component of the intrusion was a Python payload that acted as the execution mechanism. The payload was notably obfuscated, indicating a deliberate effort to disguise its functionality. Throughout the malware sample, there was a lack of embedded spreading logic, which is typically found in Docker malware. This omission suggests that the attackers utilized a separate remote spreading tool instead.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:36:59.775000", "tags": [ "ip address", "february", "beyondtrust", "compromise", "possible", "threat research", "darktrace", "rare external", "activity", "c2 server", "concept", "suspicious", "docker api" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 3, "domain": 2, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell", "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 53 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/smplu.link", "whois": "http://whois.domaintools.com/smplu.link", "domain": "smplu.link", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69931d7b5ba26f878ccbdc85", "name": "AI/LLM-Generated Malware Used to Exploit React2Shell", "description": "Recent observations from Darktrace's honeypot network, \"CloudyPots,\" highlight the use of AI-generated malware exploiting vulnerable Docker environments, specifically the Docker daemon exposed without authentication. This configuration allows attackers to discover the daemon and create containers through the Docker API, establishing initial access to the system.\n\nThe central component of the intrusion was a Python payload that acted as the execution mechanism. The payload was notably obfuscated, indicating a deliberate effort to disguise its functionality. Throughout the malware sample, there was a lack of embedded spreading logic, which is typically found in Docker malware. This omission suggests that the attackers utilized a separate remote spreading tool instead.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:36:59.775000", "tags": [ "ip address", "february", "beyondtrust", "compromise", "possible", "threat research", "darktrace", "rare external", "activity", "c2 server", "concept", "suspicious", "docker api" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 3, "domain": 2, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://smplu.link/dockerzero.", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://smplu.link/dockerzero.", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780200705.8070695 }