{ "type": "URL", "indicator": "https://taxi.ru", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://taxi.ru", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4249238183, "indicator": "https://taxi.ru", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ade32143a4eebbe98be329", "name": "TAXISPY RAT : Analysis of TaxiSpy RAT Russian Banking Focused Android Malware with Full Remote Control", "description": "TaxiSpy RAT is an advanced Android banking Trojan integrated with Remote Access Trojan (RAT) functionality, primarily aimed at Russian financial institutions. This malware employs sophisticated evasion techniques, including native library encryption and rolling XOR string obfuscation, enabling it to operate stealthily. Its architecture facilitates comprehensive device surveillance, targeting SMS, call logs, contacts, and notifications, indicative of its financially motivated intent to steal sensitive information and remotely control devices.", "modified": "2026-04-07T20:13:04.622000", "created": "2026-03-08T20:59:13.402000", "tags": [ "http post", "firebase", "section", "accessibility", "xor key", "c2 server", "otps", "android banking", "trojan", "websocket", "android", "malware", "push", "crypto", "webview", "persistence", "rats", "json", "apk rutaxi", "worker key", "campaign", "firebase xor", "cc e3", "c2 xor" ], "references": [ "https://www.cyfirma.com/research/taxispy-rat-analysis-of-taxispy-rat-russian-banking-focused-android-malware-with-full-remote-control/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TaxiSpy RAT", "display_name": "TaxiSpy RAT", "target": null } ], "attack_ids": [ { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1603", "name": "Scheduled Task/Job", "display_name": "T1603 - Scheduled Task/Job" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1420", "name": "File and Directory Discovery", "display_name": "T1420 - File and Directory Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" }, { "id": "T1521", "name": "Standard Cryptographic Protocol", "display_name": "T1521 - Standard Cryptographic Protocol" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" } ], "industries": [ "Banking", "Financial", "Government", "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.1.csv", "https://www.cyfirma.com/research/taxispy-rat-analysis-of-taxispy-rat-russian-banking-focused-android-malware-with-full-remote-control/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab" ], "malware_families": [ "Taxispy rat" ], "industries": [ "Financial", "Government", "Banking", "Cryptocurrency" ], "unique_indicators": 993 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/taxi.ru", "whois": "http://whois.domaintools.com/taxi.ru", "domain": "taxi.ru", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ade32143a4eebbe98be329", "name": "TAXISPY RAT : Analysis of TaxiSpy RAT Russian Banking Focused Android Malware with Full Remote Control", "description": "TaxiSpy RAT is an advanced Android banking Trojan integrated with Remote Access Trojan (RAT) functionality, primarily aimed at Russian financial institutions. This malware employs sophisticated evasion techniques, including native library encryption and rolling XOR string obfuscation, enabling it to operate stealthily. Its architecture facilitates comprehensive device surveillance, targeting SMS, call logs, contacts, and notifications, indicative of its financially motivated intent to steal sensitive information and remotely control devices.", "modified": "2026-04-07T20:13:04.622000", "created": "2026-03-08T20:59:13.402000", "tags": [ "http post", "firebase", "section", "accessibility", "xor key", "c2 server", "otps", "android banking", "trojan", "websocket", "android", "malware", "push", "crypto", "webview", "persistence", "rats", "json", "apk rutaxi", "worker key", "campaign", "firebase xor", "cc e3", "c2 xor" ], "references": [ "https://www.cyfirma.com/research/taxispy-rat-analysis-of-taxispy-rat-russian-banking-focused-android-malware-with-full-remote-control/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TaxiSpy RAT", "display_name": "TaxiSpy RAT", "target": null } ], "attack_ids": [ { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1603", "name": "Scheduled Task/Job", "display_name": "T1603 - Scheduled Task/Job" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1420", "name": "File and Directory Discovery", "display_name": "T1420 - File and Directory Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1437", "name": "Standard Application Layer Protocol", "display_name": "T1437 - Standard Application Layer Protocol" }, { "id": "T1521", "name": "Standard Cryptographic Protocol", "display_name": "T1521 - Standard Cryptographic Protocol" }, { "id": "T1481", "name": "Web Service", "display_name": "T1481 - Web Service" } ], "industries": [ "Banking", "Financial", "Government", "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2, "YARA": 1, "domain": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://taxi.ru", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://taxi.ru", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780354690.2956283 }