{ "type": "URL", "indicator": "https://solana.drpc.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://solana.drpc.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4274488320, "indicator": "https://solana.drpc.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c5279426c90bcf2d29aca7", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:24.873000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c527a4634386f30b478f02", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:40.541000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd1dee05ba236721544e45", "name": "GlassWorm Hides a RAT Inside a Malicious Chrome Extension", "description": "The GlassWorm malware campaign employs a sophisticated multi-stage attack strategy aimed at installing a remote access trojan (RAT) through a malicious Chrome extension masquerading as \"Google Docs Offline.\" The operation begins by utilizing malicious packages published across various platforms, including npm and PyPI, either creating new malicious packages or modifying existing legitimate projects. It notably features two types of loaders: an invisible Unicode loader and a more conventional obfuscated preinstall script.", "modified": "2026-04-19T10:37:55.998000", "created": "2026-03-20T10:14:06.829000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "phantom", "exodus", "desktop", "belarus", "armenia", "ledger live", "chrome extension" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlassWorm", "display_name": "GlassWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana" ], "malware_families": [ "Glassworm" ], "industries": [ "Finance" ], "unique_indicators": 981 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/drpc.org", "whois": "http://whois.domaintools.com/drpc.org", "domain": "drpc.org", "hostname": "solana.drpc.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c5279426c90bcf2d29aca7", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:24.873000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c527a4634386f30b478f02", "name": "GlassWorm RAT Delivered via Malicious Chrome Extension (Keylogger, Cookie Theft)", "description": "", "modified": "2026-04-25T12:10:18.482000", "created": "2026-03-26T12:33:40.541000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "glassworm", "phantom", "exodus", "desktop", "belarus", "armenia" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd1dee05ba236721544e45", "name": "GlassWorm Hides a RAT Inside a Malicious Chrome Extension", "description": "The GlassWorm malware campaign employs a sophisticated multi-stage attack strategy aimed at installing a remote access trojan (RAT) through a malicious Chrome extension masquerading as \"Google Docs Offline.\" The operation begins by utilizing malicious packages published across various platforms, including npm and PyPI, either creating new malicious packages or modifying existing legitimate projects. It notably features two types of loaders: an invisible Unicode loader and a more conventional obfuscated preinstall script.", "modified": "2026-04-19T10:37:55.998000", "created": "2026-03-20T10:14:06.829000", "tags": [ "stage", "appdata", "windows", "ledger", "temp", "google docs", "offline", "hvnc", "google calendar", "solana memo", "phantom", "exodus", "desktop", "belarus", "armenia", "ledger live", "chrome extension" ], "references": [ "https://www.aikido.dev/blog/glassworm-chrome-extension-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlassWorm", "display_name": "GlassWorm", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "hostname": 9 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "41 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://solana.drpc.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://solana.drpc.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222406.7223318 }