{ "type": "URL", "indicator": "https://tecnojournals.com/general", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tecnojournals.com/general", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3434674114, "indicator": "https://tecnojournals.com/general", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "626bba5ec3f783b80d69a882", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-07-08T21:20:57.086000", "created": "2022-04-29T10:13:50.154000", "tags": [ "preft", "stonefly", "ddos", "winscp", "infostealer" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "Stonefly", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 249, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 25, "URL": 6, "domain": 4 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 377672, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c550d6972c7cd04374c890", "name": "VSingle malware obtains C2 server information from GitHub", "description": "Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.", "modified": "2022-07-06T09:07:34.009000", "created": "2022-07-06T09:07:34.009000", "tags": [ "vsingle", "lazarus", "apt" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 393, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 3, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377671, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "634097b4fe58bef0e200b6f7", "name": "RedLine Stealer Malware IOC", "description": "bservado por primera vez en 2020 y anunciado en varios foros de ciberdelincuentes como una amenaza de 'Malware-as-a-Service' (MaaS), Redline es un ladr\u00f3n de informaci\u00f3n que se dirige principalmente a las credenciales de las v\u00edctimas de Windows y las billeteras de criptomonedas, as\u00ed como a la informaci\u00f3n del navegador, conexiones FTP, lanzadores de chat de juegos e informaci\u00f3n del sistema operativo, como hardware del sistema, nombres de procesos, zona horaria, IP, informaci\u00f3n de ubicaci\u00f3n geogr\u00e1fica, versi\u00f3n del sistema operativo e idioma predeterminado.", "modified": "2022-11-06T21:05:58.375000", "created": "2022-10-07T21:18:44.521000", "tags": [ "redline", "xmldictionary", "c2 server", "appdata", "soap", "directory", "discord", "telegram", "windows product", "downloadandex", "redline stealer", "steam", "atomic", "pass", "cuando", "ciberseguridad redline", "cronup", "strong", "imagen", "santiago", "blog contacto", "actualizacin", "stealer", "extraer", "panda", "troyano", "emotet", "february", "alerta", "malware", "autor", "phishing", "ransomware", "q3", "figure", "http post", "windows", "redline control", "english", "soap envelope", "telegram bot", "twitter", "bitcoin", "desktop", "august", "december", "january", "date", "registrar", "organization", "ozil verfig", "country", "download", "insikt", "methods redline", "cybergate", "zingostealer", "dark crystal", "post redline", "summary redline", "ddw redline", "cracked redline", "information redline", "ms windows", "communication redline", "contract redline", "conclusion redline", "vidar", "lapsus$", "phishing activities", "threat intelligence", "maas (malware-as-a-service)", "nfts", "discord channels", "google ads", "smoke loader", "magnat", "telegram forums", "social engineering campaigns", "cyware", "platform", "cyber fusion", "threat briefing", "march", "cyber threat", "fusion", "rats", "june", "april", "soar", "contact", "attack", "autoit", "agenttesla", "limerat", "teamviewer", "spyagent", "team", "concept", "enterprise", "service", "protect", "entity1", "entity7", "details", "parts", "unique id", "send", "youtube video", "entity", "redlinestealer", "chat", "unknown", "raccoon", "amigo", "phantom" ], "references": [ "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", "https://cyware.com/research-and-analysis/all-about-high-in-demand-information-theft-tool-redline-stealer-0df1", "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", "https://cyberint.com/blog/research/redline-stealer/", "https://www.cronup.com/top-malware-series-redline-stealer/", "https://securityscorecard.com/research/detailed-analysis-redline-stealer" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "XmlDictionary", "display_name": "XmlDictionary", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Ciberseguridad RedLine", "display_name": "Ciberseguridad RedLine", "target": null }, { "id": "Q3", "display_name": "Q3", "target": null }, { "id": "Dark Crystal", "display_name": "Dark Crystal", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "CyberGate", "display_name": "CyberGate", "target": null }, { "id": "Methods RedLine", "display_name": "Methods RedLine", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Conclusion Redline", "display_name": "Conclusion Redline", "target": null }, { "id": "Contract Redline", "display_name": "Contract Redline", "target": null }, { "id": "Communication Redline", "display_name": "Communication Redline", "target": null }, { "id": "MS Windows", "display_name": "MS Windows", "target": null }, { "id": "Information Redline", "display_name": "Information Redline", "target": null }, { "id": "Cracked Redline", "display_name": "Cracked Redline", "target": null }, { "id": "DDW Redline", "display_name": "DDW Redline", "target": null }, { "id": "Summary Redline", "display_name": "Summary Redline", "target": null }, { "id": "Post Redline", "display_name": "Post Redline", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dagger-1", "id": "202493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 32, "FileHash-SHA256": 51, "URL": 21, "domain": 34, "hostname": 29 }, "indicator_count": 208, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "1260 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c4f11599a6f54979e9364c", "name": "VSingle malware that obtains C2 server information from GitHub - JPCERT/CC Eyes | JPCERT Coordination Center official Blog", "description": "The latest version of the VSingle malware, which was used by the Lazarus cyber-attack, retrieves data from C2 servers to access GitHub repositories, as shown in Figure 1 and Figure 2.", "modified": "2022-07-06T02:19:01.255000", "created": "2022-07-06T02:19:01.255000", "tags": [ "vsingle", "lazarus", "c2 server", "khtml", "gecko" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1384 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62718539151db9461c89a6a5", "name": "Killing The Bear - Campaign \"Silent Chollima - Spying Operation\" (2022-04-27)", "description": "North Korea-sponsored hackers have used a series of open-source tools to gain access to data on a public-facing VMware View server, according to a security firm and its researchers, who have identified the group.", "modified": "2022-05-03T19:41:11.686000", "created": "2022-05-03T19:40:41.327000", "tags": [ "preft", "stonefly", "domain na", "symantec", "preft backdoor", "unknown file", "min read", "ddos", "threat hunter", "winscp", "download", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "ransomware", "mitre", "stage", "mitre att", "darkseoul", "silent chollima", "cve202144228", "vmware view", "invokethehash", "energy" ], "references": [ "https://killingthebear.jorgetesta.tech/silent-chollima/iocs", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage?utm_medium=email&_hsmi=211902406&_hsenc=p2ANqtz-9VWZpbrLP9E9QK6wFk-tu1VF_rhc1DHdK6OAvq50jEt9KYKhyWKrogb6WZFrXLcM9rthHSaHrI8bhujV9p9KndIx6NZRdkSDhAZcJ4Vsssqvfku7Y&utm_content=211902406&utm_source=hs_email" ], "public": 1, "adversary": "Stonefly", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null } ], "attack_ids": [ { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JTestaTech", "id": "176400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "1447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "626a269bab03bfde07e384df", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets | Symantec Blogs", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-04-28T05:31:07.603000", "created": "2022-04-28T05:31:07.603000", "tags": [ "preft", "stonefly", "domain na", "symantec", "min read", "preft backdoor", "unknown file", "threat hunter", "ddos", "continues", "team symantec", "winscp", "download", "main", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "close" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 359, "modified_text": "1453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "626a269a7e1966346042da23", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets | Symantec Blogs", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-04-28T05:31:06.708000", "created": "2022-04-28T05:31:06.708000", "tags": [ "preft", "stonefly", "domain na", "symantec", "min read", "preft backdoor", "unknown file", "threat hunter", "ddos", "continues", "team symantec", "winscp", "download", "main", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "close" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 358, "modified_text": "1453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage", "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html", "https://cyware.com/research-and-analysis/all-about-high-in-demand-information-theft-tool-redline-stealer-0df1", "https://securityscorecard.com/research/detailed-analysis-redline-stealer", "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", "https://cyberint.com/blog/research/redline-stealer/", "https://killingthebear.jorgetesta.tech/silent-chollima/iocs", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage?utm_medium=email&_hsmi=211902406&_hsenc=p2ANqtz-9VWZpbrLP9E9QK6wFk-tu1VF_rhc1DHdK6OAvq50jEt9KYKhyWKrogb6WZFrXLcM9rthHSaHrI8bhujV9p9KndIx6NZRdkSDhAZcJ4Vsssqvfku7Y&utm_content=211902406&utm_source=hs_email", "https://www.cronup.com/top-malware-series-redline-stealer/", "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904" ], "related": { "alienvault": { "adversary": [ "Lazarus", "Stonefly" ], "malware_families": [ "Vsingle", "Preft" ], "industries": [ "Financial", "Military", "Aerospace", "Government", "Energy" ], "unique_indicators": 58 }, "other": { "adversary": [ "Insikt", "Lazarus", "Stonefly" ], "malware_families": [ "Zingostealer", "Redline", "Ddw redline", "Post redline", "Stonefly", "Communication redline", "Information redline", "Summary redline", "Cracked redline", "Ms windows", "Methods redline", "Conclusion redline", "Ciberseguridad redline", "Preft", "Xmldictionary", "Vidar", "Vsingle", "Contract redline", "Cybergate", "Q3", "Dark crystal" ], "industries": [ "Financial", "Military", "Aerospace", "Technology", "Government", "Energy" ], "unique_indicators": 305 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tecnojournals.com", "whois": "http://whois.domaintools.com/tecnojournals.com", "domain": "tecnojournals.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "626bba5ec3f783b80d69a882", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-07-08T21:20:57.086000", "created": "2022-04-29T10:13:50.154000", "tags": [ "preft", "stonefly", "ddos", "winscp", "infostealer" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "Stonefly", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 249, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 25, "URL": 6, "domain": 4 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 377672, "modified_text": "1381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c550d6972c7cd04374c890", "name": "VSingle malware obtains C2 server information from GitHub", "description": "Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.", "modified": "2022-07-06T09:07:34.009000", "created": "2022-07-06T09:07:34.009000", "tags": [ "vsingle", "lazarus", "apt" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 393, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 3, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377671, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "634097b4fe58bef0e200b6f7", "name": "RedLine Stealer Malware IOC", "description": "bservado por primera vez en 2020 y anunciado en varios foros de ciberdelincuentes como una amenaza de 'Malware-as-a-Service' (MaaS), Redline es un ladr\u00f3n de informaci\u00f3n que se dirige principalmente a las credenciales de las v\u00edctimas de Windows y las billeteras de criptomonedas, as\u00ed como a la informaci\u00f3n del navegador, conexiones FTP, lanzadores de chat de juegos e informaci\u00f3n del sistema operativo, como hardware del sistema, nombres de procesos, zona horaria, IP, informaci\u00f3n de ubicaci\u00f3n geogr\u00e1fica, versi\u00f3n del sistema operativo e idioma predeterminado.", "modified": "2022-11-06T21:05:58.375000", "created": "2022-10-07T21:18:44.521000", "tags": [ "redline", "xmldictionary", "c2 server", "appdata", "soap", "directory", "discord", "telegram", "windows product", "downloadandex", "redline stealer", "steam", "atomic", "pass", "cuando", "ciberseguridad redline", "cronup", "strong", "imagen", "santiago", "blog contacto", "actualizacin", "stealer", "extraer", "panda", "troyano", "emotet", "february", "alerta", "malware", "autor", "phishing", "ransomware", "q3", "figure", "http post", "windows", "redline control", "english", "soap envelope", "telegram bot", "twitter", "bitcoin", "desktop", "august", "december", "january", "date", "registrar", "organization", "ozil verfig", "country", "download", "insikt", "methods redline", "cybergate", "zingostealer", "dark crystal", "post redline", "summary redline", "ddw redline", "cracked redline", "information redline", "ms windows", "communication redline", "contract redline", "conclusion redline", "vidar", "lapsus$", "phishing activities", "threat intelligence", "maas (malware-as-a-service)", "nfts", "discord channels", "google ads", "smoke loader", "magnat", "telegram forums", "social engineering campaigns", "cyware", "platform", "cyber fusion", "threat briefing", "march", "cyber threat", "fusion", "rats", "june", "april", "soar", "contact", "attack", "autoit", "agenttesla", "limerat", "teamviewer", "spyagent", "team", "concept", "enterprise", "service", "protect", "entity1", "entity7", "details", "parts", "unique id", "send", "youtube video", "entity", "redlinestealer", "chat", "unknown", "raccoon", "amigo", "phantom" ], "references": [ "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", "https://cyware.com/research-and-analysis/all-about-high-in-demand-information-theft-tool-redline-stealer-0df1", "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", "https://cyberint.com/blog/research/redline-stealer/", "https://www.cronup.com/top-malware-series-redline-stealer/", "https://securityscorecard.com/research/detailed-analysis-redline-stealer" ], "public": 1, "adversary": "Insikt", "targeted_countries": [], "malware_families": [ { "id": "XmlDictionary", "display_name": "XmlDictionary", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Ciberseguridad RedLine", "display_name": "Ciberseguridad RedLine", "target": null }, { "id": "Q3", "display_name": "Q3", "target": null }, { "id": "Dark Crystal", "display_name": "Dark Crystal", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "CyberGate", "display_name": "CyberGate", "target": null }, { "id": "Methods RedLine", "display_name": "Methods RedLine", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Conclusion Redline", "display_name": "Conclusion Redline", "target": null }, { "id": "Contract Redline", "display_name": "Contract Redline", "target": null }, { "id": "Communication Redline", "display_name": "Communication Redline", "target": null }, { "id": "MS Windows", "display_name": "MS Windows", "target": null }, { "id": "Information Redline", "display_name": "Information Redline", "target": null }, { "id": "Cracked Redline", "display_name": "Cracked Redline", "target": null }, { "id": "DDW Redline", "display_name": "DDW Redline", "target": null }, { "id": "Summary Redline", "display_name": "Summary Redline", "target": null }, { "id": "Post Redline", "display_name": "Post Redline", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dagger-1", "id": "202493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 41, "FileHash-SHA1": 32, "FileHash-SHA256": 51, "URL": 21, "domain": 34, "hostname": 29 }, "indicator_count": 208, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "1260 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c4f11599a6f54979e9364c", "name": "VSingle malware that obtains C2 server information from GitHub - JPCERT/CC Eyes | JPCERT Coordination Center official Blog", "description": "The latest version of the VSingle malware, which was used by the Lazarus cyber-attack, retrieves data from C2 servers to access GitHub repositories, as shown in Figure 1 and Figure 2.", "modified": "2022-07-06T02:19:01.255000", "created": "2022-07-06T02:19:01.255000", "tags": [ "vsingle", "lazarus", "c2 server", "khtml", "gecko" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1384 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62718539151db9461c89a6a5", "name": "Killing The Bear - Campaign \"Silent Chollima - Spying Operation\" (2022-04-27)", "description": "North Korea-sponsored hackers have used a series of open-source tools to gain access to data on a public-facing VMware View server, according to a security firm and its researchers, who have identified the group.", "modified": "2022-05-03T19:41:11.686000", "created": "2022-05-03T19:40:41.327000", "tags": [ "preft", "stonefly", "domain na", "symantec", "preft backdoor", "unknown file", "min read", "ddos", "threat hunter", "winscp", "download", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "ransomware", "mitre", "stage", "mitre att", "darkseoul", "silent chollima", "cve202144228", "vmware view", "invokethehash", "energy" ], "references": [ "https://killingthebear.jorgetesta.tech/silent-chollima/iocs", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage?utm_medium=email&_hsmi=211902406&_hsenc=p2ANqtz-9VWZpbrLP9E9QK6wFk-tu1VF_rhc1DHdK6OAvq50jEt9KYKhyWKrogb6WZFrXLcM9rthHSaHrI8bhujV9p9KndIx6NZRdkSDhAZcJ4Vsssqvfku7Y&utm_content=211902406&utm_source=hs_email" ], "public": 1, "adversary": "Stonefly", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null } ], "attack_ids": [ { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JTestaTech", "id": "176400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "1447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "626a269bab03bfde07e384df", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets | Symantec Blogs", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-04-28T05:31:07.603000", "created": "2022-04-28T05:31:07.603000", "tags": [ "preft", "stonefly", "domain na", "symantec", "min read", "preft backdoor", "unknown file", "threat hunter", "ddos", "continues", "team symantec", "winscp", "download", "main", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "close" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 359, "modified_text": "1453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "626a269a7e1966346042da23", "name": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets | Symantec Blogs", "description": "A North Korean-linked cyber-espionage group, Stonefly, is continuing to target high-value engineering companies, according to security firm Symantec. the company has discovered.", "modified": "2022-04-28T05:31:06.708000", "created": "2022-04-28T05:31:06.708000", "tags": [ "preft", "stonefly", "domain na", "symantec", "min read", "preft backdoor", "unknown file", "threat hunter", "ddos", "continues", "team symantec", "winscp", "download", "main", "trojan", "february", "dtrack", "mimikatz", "powershell", "info", "service", "infostealer", "winrar", "team", "close" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Preft", "display_name": "Preft", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" } ], "industries": [ "Financial", "Government", "Aerospace", "Military", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 28, "URL": 6, "domain": 5 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 358, "modified_text": "1453 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tecnojournals.com/general", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tecnojournals.com/general", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776674659.159999 }