{ "type": "URL", "indicator": "https://staticcloudflare.pro/api/css.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://staticcloudflare.pro/api/css.js", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4370486369, "indicator": "https://staticcloudflare.pro/api/css.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6a0f06676dfe8431915ed38a", "name": "Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks", "description": "Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.", "modified": "2026-05-21T16:42:12.982000", "created": "2026-05-21T13:19:35.593000", "tags": [ "sql injection", "cloaking", "installer.dll", "notepadplusplus.dll", "clickfix", "ghost cms", "information stealer", "mass compromise", "utilifysetup.exe", "cve-2026-26980", "fakecaptcha" ], "references": [ "https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "installer.dll", "display_name": "installer.dll", "target": null }, { "id": "UtilifySetup.exe", "display_name": "UtilifySetup.exe", "target": null }, { "id": "NotepadPlusPlus.dll", "display_name": "NotepadPlusPlus.dll", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Education", "Technology", "Finance", "Media", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "URL": 11, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a199f107d72e6c240c88056", "name": "Payload_Delivery | May 30, 2026", "description": "Payload_Delivery indicators. Date: May 30, 2026. Total: 1238 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:36.695000", "created": "2026-05-29T14:13:36.695000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 760, "URL": 194, "FileHash-SHA256": 42, "domain": 206, "FileHash-SHA1": 2 }, "indicator_count": 1204, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a184e431e46597d0217d91c", "name": "Payload_Delivery | May 29, 2026", "description": "Payload_Delivery indicators. Date: May 29, 2026. Total: 1194 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-28T14:16:35.836000", "created": "2026-05-28T14:16:35.836000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 243, "URL": 208, "FileHash-SHA256": 62, "FileHash-SHA1": 2 }, "indicator_count": 1163, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16fc15cadf9309436a626a", "name": "Payload_Delivery | May 28, 2026", "description": "Payload_Delivery indicators. Date: May 28, 2026. Total: 1111 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-27T14:13:41.458000", "created": "2026-05-27T14:13:41.458000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 567, "domain": 275, "URL": 174, "FileHash-SHA256": 61, "FileHash-SHA1": 2 }, "indicator_count": 1079, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a15aa9102ebff362ef66326", "name": "Payload_Delivery | May 27, 2026", "description": "Payload_Delivery indicators. Date: May 27, 2026. Total: 1055 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-26T14:13:37.240000", "created": "2026-05-26T14:13:37.240000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 468, "URL": 181, "domain": 308, "FileHash-SHA256": 57, "FileHash-SHA1": 3 }, "indicator_count": 1017, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a145900f5080825046806c0", "name": "Payload_Delivery | May 26, 2026", "description": "Payload_Delivery indicators. Date: May 26, 2026. Total: 972 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-25T14:13:20.864000", "created": "2026-05-25T14:13:20.864000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 369, "domain": 352, "URL": 154, "FileHash-SHA1": 3, "FileHash-SHA256": 61 }, "indicator_count": 939, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1380b2ee83fa05ff58af68", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:26.957000", "created": "2026-05-24T22:50:26.957000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1380b0d71dca32f9214caa", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:24.500000", "created": "2026-05-24T22:50:24.500000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13806aa3ce0afa6ce805a3", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:14.004000", "created": "2026-05-24T22:49:14.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13806762755fa47d3276ee", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:11.586000", "created": "2026-05-24T22:49:11.586000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13800eba91800fe4e80284", "name": "cygujctgyj", "description": "Twenty-five years ago, the world was a small country, but it has now become a huge part of the global economy, and the UK has become the largest country in Europe to have its share of", "modified": "2026-05-24T22:47:42.665000", "created": "2026-05-24T22:47:42.665000", "tags": [ "sakura http", "clientsetup" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 859, "IPv4": 4190, "domain": 286, "hostname": 128 }, "indicator_count": 5572, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a130d64d6b88e2c6d025546", "name": "mohammedrizwandddddddd", "description": "", "modified": "2026-05-24T14:38:28.800000", "created": "2026-05-24T14:38:28.800000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 862, "IPv4": 4338, "domain": 286, "hostname": 129 }, "indicator_count": 5724, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12844193310b9bfc7fc2a6", "name": "Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks", "description": "", "modified": "2026-05-24T04:53:21.478000", "created": "2026-05-24T04:53:21.478000", "tags": [ "sql injection", "cloaking", "installer.dll", "notepadplusplus.dll", "clickfix", "ghost cms", "information stealer", "mass compromise", "utilifysetup.exe", "cve-2026-26980", "fakecaptcha" ], "references": [ "https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "installer.dll", "display_name": "installer.dll", "target": null }, { "id": "UtilifySetup.exe", "display_name": "UtilifySetup.exe", "target": null }, { "id": "NotepadPlusPlus.dll", "display_name": "NotepadPlusPlus.dll", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Education", "Technology", "Finance", "Media", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6a0f06676dfe8431915ed38a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "URL": 11, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://ltna.com.au/cyber", "https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Utilifysetup.exe", "Installer.dll", "Notepadplusplus.dll" ], "industries": [ "Government", "Media", "Technology", "Finance", "Healthcare", "Education" ], "unique_indicators": 33 }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [ "Utilifysetup.exe", "Installer.dll", "Notepadplusplus.dll" ], "industries": [ "Government", "Media", "Technology", "Finance", "Healthcare", "Education" ], "unique_indicators": 9598 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/staticcloudflare.pro", "whois": "http://whois.domaintools.com/staticcloudflare.pro", "domain": "staticcloudflare.pro", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6a0f06676dfe8431915ed38a", "name": "Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks", "description": "Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.", "modified": "2026-05-21T16:42:12.982000", "created": "2026-05-21T13:19:35.593000", "tags": [ "sql injection", "cloaking", "installer.dll", "notepadplusplus.dll", "clickfix", "ghost cms", "information stealer", "mass compromise", "utilifysetup.exe", "cve-2026-26980", "fakecaptcha" ], "references": [ "https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "installer.dll", "display_name": "installer.dll", "target": null }, { "id": "UtilifySetup.exe", "display_name": "UtilifySetup.exe", "target": null }, { "id": "NotepadPlusPlus.dll", "display_name": "NotepadPlusPlus.dll", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Education", "Technology", "Finance", "Media", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "URL": 11, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a199f107d72e6c240c88056", "name": "Payload_Delivery | May 30, 2026", "description": "Payload_Delivery indicators. Date: May 30, 2026. Total: 1238 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-29T14:13:36.695000", "created": "2026-05-29T14:13:36.695000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 760, "URL": 194, "FileHash-SHA256": 42, "domain": 206, "FileHash-SHA1": 2 }, "indicator_count": 1204, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a184e431e46597d0217d91c", "name": "Payload_Delivery | May 29, 2026", "description": "Payload_Delivery indicators. Date: May 29, 2026. Total: 1194 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-28T14:16:35.836000", "created": "2026-05-28T14:16:35.836000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 243, "URL": 208, "FileHash-SHA256": 62, "FileHash-SHA1": 2 }, "indicator_count": 1163, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16fc15cadf9309436a626a", "name": "Payload_Delivery | May 28, 2026", "description": "Payload_Delivery indicators. Date: May 28, 2026. Total: 1111 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-27T14:13:41.458000", "created": "2026-05-27T14:13:41.458000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 567, "domain": 275, "URL": 174, "FileHash-SHA256": 61, "FileHash-SHA1": 2 }, "indicator_count": 1079, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "3 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a15aa9102ebff362ef66326", "name": "Payload_Delivery | May 27, 2026", "description": "Payload_Delivery indicators. Date: May 27, 2026. Total: 1055 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-26T14:13:37.240000", "created": "2026-05-26T14:13:37.240000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 468, "URL": 181, "domain": 308, "FileHash-SHA256": 57, "FileHash-SHA1": 3 }, "indicator_count": 1017, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a145900f5080825046806c0", "name": "Payload_Delivery | May 26, 2026", "description": "Payload_Delivery indicators. Date: May 26, 2026. Total: 972 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-25T14:13:20.864000", "created": "2026-05-25T14:13:20.864000", "tags": [ "payload_delivery" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 369, "domain": 352, "URL": 154, "FileHash-SHA1": 3, "FileHash-SHA256": 61 }, "indicator_count": 939, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1380b2ee83fa05ff58af68", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:26.957000", "created": "2026-05-24T22:50:26.957000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1380b0d71dca32f9214caa", "name": "tfhncf", "description": "", "modified": "2026-05-24T22:50:24.500000", "created": "2026-05-24T22:50:24.500000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 53, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 860, "IPv4": 4337, "domain": 286, "hostname": 128 }, "indicator_count": 5720, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13806aa3ce0afa6ce805a3", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:14.004000", "created": "2026-05-24T22:49:14.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a13806762755fa47d3276ee", "name": "SERHFGB", "description": "", "modified": "2026-05-24T22:49:11.586000", "created": "2026-05-24T22:49:11.586000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 12, "FileHash-SHA256": 44, "URL": 865, "IPv4": 5793, "domain": 286, "hostname": 128 }, "indicator_count": 7182, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://staticcloudflare.pro/api/css.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://staticcloudflare.pro/api/css.js", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211228.2619655 }