{ "type": "URL", "indicator": "https://static.my", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://static.my", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4156676373, "indicator": "https://static.my", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69536e9778aaa05c88108848", "name": "IOC - Arcane Werewolf revamps its arsenal with Loki 2.1 implant", "description": "In October and November 2025, BI.ZONE Threat Intelligence observed malicious activity by Arcane Werewolf (Mythic Likho) targeting Russian manufacturing enterprises. Retrospective analysis suggests that the threat actor most likely used phishing emails as the initial access vector, consistent with its previous campaigns. The messages were irrecoverable but presumably contained links to a malicious archive hosted on the attackers\u2019 C2 server. The links directed victims to a spoofed website imitating a Russian manufacturing company.", "modified": "2025-12-30T06:17:59.325000", "created": "2025-12-30T06:17:59.325000", "tags": [ "loki", "https", "network" ], "references": [ "https://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 13, "URL": 3, "domain": 2, "hostname": 2 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e7062498399024da86752", "name": "Arcane Werewolf is back with an updated Loki implant", "description": "In late 2025, cybersecurity experts from http://BI.ZONE Threat Intelligence identified ongoing malicious activities linked to the hacking group known as Arcane Werewolf, also referred to as Mythic Likho. This group is targeting Russian industrial companies, highlighting a shift in focus towards specific sectors critical to national infrastructure. The attack vector utilized in these campaigns appears to be phishing emails, mirroring previous incidents attributed to this threat actor. While the actual phishing emails were not accessible, it is suspected that they contained a link directing recipients to download a VPO archive from a site that impersonates a legitimate Russian industrial company. This technique aims to deceive targets into giving up sensitive information or executing malicious payloads by exploiting their trust in recognizable businesses.", "modified": "2025-12-02T04:51:46.576000", "created": "2025-12-02T04:51:46.576000", "tags": [ "loki", "werewolf", "arcane werewolf", "temp", "base64", "arcane", "pe32", "https", "files", "threat", "havoc", "powershell", "phishing", "defense", "apache", "cookie", "hash", "go dropper", "cpp droppers" ], "references": [ "https://bi.zone/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 13, "URL": 4, "domain": 2, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "180 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/", "https://bi.zone/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/", "IOC-Dec 2025.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte" ], "malware_families": [], "industries": [ "Government" ], "unique_indicators": 1394 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/static.my", "whois": "http://whois.domaintools.com/static.my", "domain": "static.my", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69536e9778aaa05c88108848", "name": "IOC - Arcane Werewolf revamps its arsenal with Loki 2.1 implant", "description": "In October and November 2025, BI.ZONE Threat Intelligence observed malicious activity by Arcane Werewolf (Mythic Likho) targeting Russian manufacturing enterprises. Retrospective analysis suggests that the threat actor most likely used phishing emails as the initial access vector, consistent with its previous campaigns. The messages were irrecoverable but presumably contained links to a malicious archive hosted on the attackers\u2019 C2 server. The links directed victims to a spoofed website imitating a Russian manufacturing company.", "modified": "2025-12-30T06:17:59.325000", "created": "2025-12-30T06:17:59.325000", "tags": [ "loki", "https", "network" ], "references": [ "https://bi.zone/eng/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 13, "URL": 3, "domain": 2, "hostname": 2 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "692e7062498399024da86752", "name": "Arcane Werewolf is back with an updated Loki implant", "description": "In late 2025, cybersecurity experts from http://BI.ZONE Threat Intelligence identified ongoing malicious activities linked to the hacking group known as Arcane Werewolf, also referred to as Mythic Likho. This group is targeting Russian industrial companies, highlighting a shift in focus towards specific sectors critical to national infrastructure. The attack vector utilized in these campaigns appears to be phishing emails, mirroring previous incidents attributed to this threat actor. While the actual phishing emails were not accessible, it is suspected that they contained a link directing recipients to download a VPO archive from a site that impersonates a legitimate Russian industrial company. This technique aims to deceive targets into giving up sensitive information or executing malicious payloads by exploiting their trust in recognizable businesses.", "modified": "2025-12-02T04:51:46.576000", "created": "2025-12-02T04:51:46.576000", "tags": [ "loki", "werewolf", "arcane werewolf", "temp", "base64", "arcane", "pe32", "https", "files", "threat", "havoc", "powershell", "phishing", "defense", "apache", "cookie", "hash", "go dropper", "cpp droppers" ], "references": [ "https://bi.zone/expertise/blog/arcane-werewolf-vernulsya-s-obnovlennym-implantom-loki/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 13, "URL": 4, "domain": 2, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "180 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://static.my", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://static.my", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211240.724513 }