{ "type": "URL", "indicator": "https://solana-rpc.publicnode.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://solana-rpc.publicnode.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4197100673, "indicator": "https://solana-rpc.publicnode.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "698364aade09c6acd9e673b9", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-04T15:24:26.608000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c5279426c90bcf2d29aca7", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:24.873000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c527a4634386f30b478f02", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:40.541000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd1dee05ba236721544e45", "name": "GlassWorm Hides a RAT Inside a Malicious Chrome Extension", "description": "The GlassWorm malware campaign employs a sophisticated multi-stage attack strategy aimed at installing a remote access trojan (RAT) through a malicious Chrome extension masquerading as \"Google Docs Offline.\" The operation begins by utilizing malicious packages published across various platforms, including npm and PyPI, either creating new malicious packages or modifying existing legitimate projects. It notably features two types of loaders: an invisible Unicode loader and a more conventional obfuscated preinstall script.", "modified": "2026-04-19T10:37:55.998000", "created": "2026-03-20T10:14:06.829000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "phantom", "exodus", "desktop", "belarus", "armenia", "ledger live", "chrome extension" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlassWorm", "display_name": "GlassWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69844eb49602db963a7caf60", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-05T08:03:00.115000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698364aade09c6acd9e673b9", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "related": { "alienvault": { "adversary": [ "Rublevka Team" ], "malware_families": [], "industries": [], "unique_indicators": 49 }, "other": { "adversary": [ "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "Rublevka Team", "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi" ], "malware_families": [ "Glassworm" ], "industries": [ "Finance" ], "unique_indicators": 1795 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/publicnode.com", "whois": "http://whois.domaintools.com/publicnode.com", "domain": "publicnode.com", "hostname": "solana-rpc.publicnode.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "698364aade09c6acd9e673b9", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "A major cybercriminal operation called Rublevka Team has generated over $10 million through cryptocurrency theft since 2023. The group employs a network of social engineering specialists who direct victims to malicious pages impersonating legitimate crypto services. Using custom JavaScript scripts, they trick users into connecting wallets and authorizing fraudulent transactions. Rublevka Team's infrastructure is fully automated, offering affiliates access to tools for launching high-volume scams. Their model poses a growing threat to cryptocurrency platforms and brands, with potential for reputational and legal risks. The group's agility in rotating domains and targeting lower-cost chains like Solana undermines traditional fraud detection efforts.", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-04T15:24:26.608000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 386506, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c5279426c90bcf2d29aca7", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:24.873000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c527a4634386f30b478f02", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:40.541000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd1dee05ba236721544e45", "name": "GlassWorm Hides a RAT Inside a Malicious Chrome Extension", "description": "The GlassWorm malware campaign employs a sophisticated multi-stage attack strategy aimed at installing a remote access trojan (RAT) through a malicious Chrome extension masquerading as \"Google Docs Offline.\" The operation begins by utilizing malicious packages published across various platforms, including npm and PyPI, either creating new malicious packages or modifying existing legitimate projects. It notably features two types of loaders: an invisible Unicode loader and a more conventional obfuscated preinstall script.", "modified": "2026-04-19T10:37:55.998000", "created": "2026-03-20T10:14:06.829000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "phantom", "exodus", "desktop", "belarus", "armenia", "ledger live", "chrome extension" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlassWorm", "display_name": "GlassWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698c53f29613e705f0f89e5a", "name": "EbeeFeb2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T10:03:30.456000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256", "ipv4", "cve20207699 cve" ], "references": [], "public": 1, "adversary": "Campaign involving multi-stage infostealer deployment, Amaranth-Dragon, SystemBC, Notepad++ Compromi", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 158, "FileHash-SHA1": 131, "FileHash-SHA256": 134, "URL": 86, "domain": 71, "hostname": 30, "CIDR": 1, "CVE": 7 }, "indicator_count": 618, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698408e23725b5d83f3ac6f4", "name": "IOC - Rublevka Team: Anatomy of a Russian Crypto Drainer Operation", "description": "Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker \u201cRublevka Team\u201d. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a \u201ctraffer team,\u201d composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions.", "modified": "2026-03-07T03:01:37.719000", "created": "2026-02-05T03:05:06.506000", "tags": [ "email" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 11, "email": 1, "hostname": 3 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69844eb49602db963a7caf60", "name": "Anatomy of a Russian Crypto Drainer Operation", "description": "", "modified": "2026-03-06T15:01:37.981000", "created": "2026-02-05T08:03:00.115000", "tags": [ "wallet draining", "javascript drainer", "social engineering", "solana", "brand impersonation", "phishing", "cryptocurrency theft", "affiliate program" ], "references": [ "https://www.recordedfuture.com/research/rublevka-team-anatomy-russian-crypto-drainer-operation", "https://www.recordedfuture.com/research/media_1f21796732ee17098dc9eae5148e093dc47d7f9de.gif?width=1200&format=pjpg&optimize=medium" ], "public": 1, "adversary": "Rublevka Team", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698364aade09c6acd9e673b9", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA256": 7, "domain": 23, "hostname": 7 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "85 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://solana-rpc.publicnode.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://solana-rpc.publicnode.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222297.926747 }