{ "type": "URL", "indicator": "https://t.m-kosche.com/rope.pyz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://t.m-kosche.com/rope.pyz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4368639866, "indicator": "https://t.m-kosche.com/rope.pyz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a0ce3b0ad791179648c47b0", "name": "Latest PyPi Compromise", "description": "A supply chain attack targeting the Microsoft DurableTask Python client compromised versions 1.4.1, 1.4.2, and 1.4.3 on PyPi. The threat actor gained access through a compromised GitHub account previously linked to attacks, using stolen credentials to dump GitHub secrets containing PyPi tokens. The evolved payload targets Linux systems, stealing credentials from AWS, Azure, GCP, Kubernetes, Vault, and password managers like Bitwarden and 1Password. It propagates via AWS SSM and Kubernetes lateral movement, limited to 5 targets per infected host. The payload scrapes shell history, bruteforces password managers, and establishes persistence through infection markers. Compromised packages were quarantined following analysis.", "modified": "2026-05-21T00:26:24.796000", "created": "2026-05-19T22:26:56.337000", "tags": [ "durabletask", "github secrets", "kubernetes lateral movement", "rope.pyz", "managed.pyz", "supply chain attack", "password manager", "credential theft", "transformers.pyz", "aws ssm propagation", "pypi compromise" ], "references": [ "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "rope.pyz", "display_name": "rope.pyz", "target": null }, { "id": "transformers.pyz", "display_name": "transformers.pyz", "target": null }, { "id": "managed.pyz", "display_name": "managed.pyz", "target": null } ], "attack_ids": [ { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "hostname": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8fd07acd99ff5c119d4f", "name": "Latest PyPi Compromise", "description": "", "modified": "2026-05-21T04:53:36.971000", "created": "2026-05-21T04:53:36.971000", "tags": [ "durabletask", "github secrets", "kubernetes lateral movement", "rope.pyz", "managed.pyz", "supply chain attack", "password manager", "credential theft", "transformers.pyz", "aws ssm propagation", "pypi compromise" ], "references": [ "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "rope.pyz", "display_name": "rope.pyz", "target": null }, { "id": "transformers.pyz", "display_name": "transformers.pyz", "target": null }, { "id": "managed.pyz", "display_name": "managed.pyz", "target": null } ], "attack_ids": [ { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0ce3b0ad791179648c47b0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "hostname": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Transformers.pyz", "Rope.pyz", "Managed.pyz" ], "industries": [ "Technology" ], "unique_indicators": 9 }, "other": { "adversary": [ "TeamPCP", "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [ "Transformers.pyz", "Rope.pyz", "Managed.pyz" ], "industries": [ "Technology" ], "unique_indicators": 946 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/m-kosche.com", "whois": "http://whois.domaintools.com/m-kosche.com", "domain": "m-kosche.com", "hostname": "t.m-kosche.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a0ce3b0ad791179648c47b0", "name": "Latest PyPi Compromise", "description": "A supply chain attack targeting the Microsoft DurableTask Python client compromised versions 1.4.1, 1.4.2, and 1.4.3 on PyPi. The threat actor gained access through a compromised GitHub account previously linked to attacks, using stolen credentials to dump GitHub secrets containing PyPi tokens. The evolved payload targets Linux systems, stealing credentials from AWS, Azure, GCP, Kubernetes, Vault, and password managers like Bitwarden and 1Password. It propagates via AWS SSM and Kubernetes lateral movement, limited to 5 targets per infected host. The payload scrapes shell history, bruteforces password managers, and establishes persistence through infection markers. Compromised packages were quarantined following analysis.", "modified": "2026-05-21T00:26:24.796000", "created": "2026-05-19T22:26:56.337000", "tags": [ "durabletask", "github secrets", "kubernetes lateral movement", "rope.pyz", "managed.pyz", "supply chain attack", "password manager", "credential theft", "transformers.pyz", "aws ssm propagation", "pypi compromise" ], "references": [ "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "rope.pyz", "display_name": "rope.pyz", "target": null }, { "id": "transformers.pyz", "display_name": "transformers.pyz", "target": null }, { "id": "managed.pyz", "display_name": "managed.pyz", "target": null } ], "attack_ids": [ { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "hostname": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8fd07acd99ff5c119d4f", "name": "Latest PyPi Compromise", "description": "", "modified": "2026-05-21T04:53:36.971000", "created": "2026-05-21T04:53:36.971000", "tags": [ "durabletask", "github secrets", "kubernetes lateral movement", "rope.pyz", "managed.pyz", "supply chain attack", "password manager", "credential theft", "transformers.pyz", "aws ssm propagation", "pypi compromise" ], "references": [ "https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "rope.pyz", "display_name": "rope.pyz", "target": null }, { "id": "transformers.pyz", "display_name": "transformers.pyz", "target": null }, { "id": "managed.pyz", "display_name": "managed.pyz", "target": null } ], "attack_ids": [ { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1555.005", "name": "Password Managers", "display_name": "T1555.005 - Password Managers" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0ce3b0ad791179648c47b0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "hostname": 2 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://t.m-kosche.com/rope.pyz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://t.m-kosche.com/rope.pyz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780185015.0560386 }