{ "type": "URL", "indicator": "https://telegram.me/n1ds03", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://telegram.me/n1ds03", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain telegram.me", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain telegram.me", "name": "Whitelisted domain" }, { "source": "newssite", "message": "Whitelisted news domain telegram.com", "name": "Whitelisted newssite network domain" } ], "base_indicator": { "id": 4184898151, "indicator": "https://telegram.me/n1ds03", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6975df937f993d415383df51", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-25", "description": "Automated ThreatFox hunt for Vidar indicators. 25 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-24T09:03:47.999000", "created": "2026-01-25T09:17:07.850000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 2, "FileHash-SHA256": 6, "FileHash-MD5": 6 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974b1f17a90722f6b45c2ac", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(36), Cobalt Strike(15), SmartApeSG(11), KongTuke(8). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T11:04:22.911000", "created": "2026-01-24T11:50:09.488000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "URL": 22, "hostname": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69749cd1e78b50f0ef0245d6", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(16), SmartApeSG(11). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T10:00:47.654000", "created": "2026-01-24T10:20:01.626000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69748ec1095a79c393149989", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18), AsyncRAT(16). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T09:02:26.117000", "created": "2026-01-24T09:20:01.734000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697495cc2660b0fbc3f608ad", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(16), SmartApeSG(11). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T09:02:26.117000", "created": "2026-01-24T09:50:04.178000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697480ba425b4f1d34f57631", "name": "OSINT Volley 2026-01-24 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Vidar(34), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T08:04:54.846000", "created": "2026-01-24T08:20:10.638000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 9, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697487c3ca133ec916aeec7a", "name": "OSINT Volley 2026-01-24 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Vidar(34), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T08:04:54.846000", "created": "2026-01-24T08:50:11.177000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974749b40b8bd113c71c9e9", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:28:27.140000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697479a97920a09240e64598", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:50:01.462000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "URL": 27, "hostname": 10 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697464943a8f7d666304abd3", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T06:01:16.525000", "created": "2026-01-24T06:20:04.567000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697456879ad93dd402af6ad3", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T05:02:02.063000", "created": "2026-01-24T05:20:07.633000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69745d8da2249353883215f6", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T05:02:02.063000", "created": "2026-01-24T05:50:05.133000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697448780fc52795575445bd", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T04:01:42.193000", "created": "2026-01-24T04:20:08.105000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69744f7b7d69f38e040511a3", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 67 IPs with HTTPS, 25 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T04:01:42.193000", "created": "2026-01-24T04:50:03.871000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69743a61352955270335ea74", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(35), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 66 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T03:01:41.304000", "created": "2026-01-24T03:20:01.760000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69742c54ac829888847b9a4a", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T02:01:04.709000", "created": "2026-01-24T02:20:04.805000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974335b89a833d14e73b04e", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T02:01:04.709000", "created": "2026-01-24T02:50:03.452000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974254c58f954d5d5b8e741", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T01:01:46.630000", "created": "2026-01-24T01:50:04.371000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697410341ea94903ae4941b3", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T00:03:05.487000", "created": "2026-01-24T00:20:04.240000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974173dcefb6cf3e8c08d6d", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(112), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 64 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T00:03:05.487000", "created": "2026-01-24T00:50:05.311000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 12, "domain": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697402339e55e5aa8a320258", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 60 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T23:01:48.099000", "created": "2026-01-23T23:20:19.401000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 14, "domain": 8 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974092c3e7a6c7ad28bf1ab", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Phorpiex(39), Unknown malware(34), Vidar(34), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 60 IPs with HTTPS, 26 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T23:01:48.099000", "created": "2026-01-23T23:50:04.324000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 14, "domain": 8 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973f411e57db14995a24c4e", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Phorpiex(39), Vidar(32), Unknown malware(26), AsyncRAT(22). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T22:00:37.783000", "created": "2026-01-23T22:20:01.910000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 21, "domain": 11 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973fb1e3d59aa7928608c5e", "name": "OSINT Volley 2026-01-23 - Meterpreter/Phorpiex/Vidar", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Phorpiex(39), Vidar(32), Unknown malware(26), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T22:00:37.783000", "created": "2026-01-23T22:50:06.156000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "vidar", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 21, "domain": 11 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973e601685d6f0ad8542ef1", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), Unknown malware(25), AsyncRAT(25). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T21:01:10.068000", "created": "2026-01-23T21:20:01.722000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 21, "domain": 11 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973ed0bc527bbfd81cadbce", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), Unknown malware(26), AsyncRAT(25). Source: abuse.ch ThreatFox API. SSL enriched: 54 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T21:01:10.068000", "created": "2026-01-23T21:50:03.674000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 21, "domain": 11 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d7f5ee095dbef6a5596a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T20:00:48.797000", "created": "2026-01-23T20:20:05.279000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 23, "hostname": 24 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973defe3c40d8d2ab5d3919", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(104), Vidar(41), Phorpiex(39), AsyncRAT(28), Unknown malware(24). Source: abuse.ch ThreatFox API. SSL enriched: 55 IPs with HTTPS, 21 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T20:00:48.797000", "created": "2026-01-23T20:50:05.787000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 26, "hostname": 20 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973d0ec811c1eba11d727de", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), AsyncRAT(28), Ghost RAT(21). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T19:00:34.876000", "created": "2026-01-23T19:50:04.852000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 33, "hostname": 25 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973bbdc7ede58bf5c5684cd", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:20:12.183000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 36, "hostname": 25, "domain": 6 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973c2ddf1a3c59e50cf733a", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(28). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T18:01:14.865000", "created": "2026-01-23T18:50:05.240000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 33, "hostname": 25, "domain": 6 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6973adc4080817b837ceeacf", "name": "OSINT Volley 2026-01-23 - Meterpreter/Vidar/Phorpiex", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(103), Vidar(41), Phorpiex(39), Nitrogen Ransomware(36), AsyncRAT(24). Source: abuse.ch ThreatFox API. SSL enriched: 47 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-22T17:02:53.014000", "created": "2026-01-23T17:20:04.696000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "phorpiex", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Nitrogen Ransomware", "display_name": "Nitrogen Ransomware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 22, "URL": 44, "domain": 6 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "100 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974f84427653461173a8a53", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:50:12.906000", "created": "2026-01-24T16:50:12.906000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 145, "domain": 117, "URL": 28 }, "indicator_count": 290, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974f5edb422bc176c640834", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:40:13.550000", "created": "2026-01-24T16:40:13.550000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 141 }, "indicator_count": 290, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974f395d540437a9e420d4c", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:30:13.091000", "created": "2026-01-24T16:30:13.091000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 141 }, "indicator_count": 290, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974f13e8e014219b747d035", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:20:14.557000", "created": "2026-01-24T16:20:14.557000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 141 }, "indicator_count": 290, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974eee4fb0c0768e087add8", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:10:12.600000", "created": "2026-01-24T16:10:12.600000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 141 }, "indicator_count": 290, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974ec8ef448b637b0f35e57", "name": "PreCog Sweep - 2026-01-24 16h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T16:00:14.263000", "created": "2026-01-24T16:00:14.263000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 145 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974ea35d3b7fc177d582b87", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:50:13.770000", "created": "2026-01-24T15:50:13.770000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 145 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974e7ddb07f94d8a0b0c8cf", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:40:13.457000", "created": "2026-01-24T15:40:13.457000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 145 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974e5841862e8902c8192fe", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:30:12.795000", "created": "2026-01-24T15:30:12.795000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 145 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974e32eafd0198868451d43", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:20:14.018000", "created": "2026-01-24T15:20:14.018000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 121, "hostname": 145 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974e0d42734606aa746f394", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:10:12.971000", "created": "2026-01-24T15:10:12.971000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 117, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974de7e9c17ad028d99b35f", "name": "PreCog Sweep - 2026-01-24 15h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T15:00:14.312000", "created": "2026-01-24T15:00:14.312000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 117, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974dc2646650589f0f3d4ab", "name": "PreCog Sweep - 2026-01-24 14h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T14:50:14.679000", "created": "2026-01-24T14:50:14.679000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 117, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974d9cd15c8cc7a82b4b60d", "name": "PreCog Sweep - 2026-01-24 14h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T14:40:13.417000", "created": "2026-01-24T14:40:13.417000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 35, "domain": 117, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974d776f8be964b58715603", "name": "PreCog Sweep - 2026-01-24 14h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T14:30:14.100000", "created": "2026-01-24T14:30:14.100000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 34, "domain": 118, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974d51c144d9ecf44160de1", "name": "PreCog Sweep - 2026-01-24 14h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T14:20:12.735000", "created": "2026-01-24T14:20:12.735000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 34, "domain": 118, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974d2c79f9dd10fa1d4cd78", "name": "PreCog Sweep - 2026-01-24 14h", "description": "Novel threat indicators detected by PreCog Sweep Engine", "modified": "2026-01-24T14:10:15.284000", "created": "2026-01-24T14:10:15.284000", "tags": [ "precog", "automated", "novel-ioc", "c2", "malware" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://github.com/pduggusa/dugganusa-research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 34, "domain": 118, "hostname": 142 }, "indicator_count": 294, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix/master", "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch", "https://github.com/pduggusa/dugganusa-research" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cobalt strike", "Kongtuke", "Vidar", "Smartapesg", "Nitrogen ransomware", "Meterpreter", "Unknown malware", "Phorpiex", "Ghost rat", "Asyncrat" ], "industries": [], "unique_indicators": 726 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/telegram.me", "whois": "http://whois.domaintools.com/telegram.me", "domain": "telegram.me", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6975df937f993d415383df51", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-25", "description": "Automated ThreatFox hunt for Vidar indicators. 25 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-24T09:03:47.999000", "created": "2026-01-25T09:17:07.850000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 2, "FileHash-SHA256": 6, "FileHash-MD5": 6 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974b1f17a90722f6b45c2ac", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Cobalt Strike", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(36), Cobalt Strike(15), SmartApeSG(11), KongTuke(8). Source: abuse.ch ThreatFox API. SSL enriched: 33 IPs with HTTPS, 15 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T11:04:22.911000", "created": "2026-01-24T11:50:09.488000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "cobalt-strike", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "URL": 22, "hostname": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69749cd1e78b50f0ef0245d6", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(16), SmartApeSG(11). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T10:00:47.654000", "created": "2026-01-24T10:20:01.626000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 199, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69748ec1095a79c393149989", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18), AsyncRAT(16). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T09:02:26.117000", "created": "2026-01-24T09:20:01.734000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697495cc2660b0fbc3f608ad", "name": "OSINT Volley 2026-01-24 - Meterpreter/Unknown malware/Ghost RAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Unknown malware(32), Ghost RAT(22), Cobalt Strike(16), SmartApeSG(11). Source: abuse.ch ThreatFox API. SSL enriched: 34 IPs with HTTPS, 14 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T09:02:26.117000", "created": "2026-01-24T09:50:04.178000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "unknown-malware", "ghost-rat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "SmartApeSG", "display_name": "SmartApeSG", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697480ba425b4f1d34f57631", "name": "OSINT Volley 2026-01-24 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Vidar(34), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 42 IPs with HTTPS, 22 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T08:04:54.846000", "created": "2026-01-24T08:20:10.638000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28, "domain": 9, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697487c3ca133ec916aeec7a", "name": "OSINT Volley 2026-01-24 - Meterpreter/Vidar/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(130), Vidar(34), Unknown malware(32), Ghost RAT(22), Cobalt Strike(18). Source: abuse.ch ThreatFox API. SSL enriched: 40 IPs with HTTPS, 20 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T08:04:54.846000", "created": "2026-01-24T08:50:11.177000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "vidar", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 25, "domain": 9, "hostname": 7 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974745d40b8bd113c71c9e8", "name": "ThreatFox Hunt: Vidar IOCs - 2026-01-24", "description": "Automated ThreatFox hunt for Vidar indicators. 74 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1555.003, T1539, T1005, T1041. Reference: https://analytics.dugganusa.com", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:27:25.638000", "tags": [ "vidar", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "stealer", "credential-theft" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 18, "URL": 33, "FileHash-SHA256": 3, "FileHash-MD5": 3 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6974749b40b8bd113c71c9e9", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 37 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:28:27.140000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 27, "hostname": 10, "domain": 8 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697479a97920a09240e64598", "name": "OSINT Volley 2026-01-24 - Meterpreter/Phorpiex/Unknown malware", "description": "Automated OSINT sweep from ThreatFox. Top malware: Meterpreter(111), Phorpiex(39), Unknown malware(36), Vidar(34), Cobalt Strike(22). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 23 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T07:50:01.462000", "tags": [ "osint-volley", "threatfox", "automated", "meterpreter", "phorpiex", "unknown-malware", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "URL": 27, "hostname": 10 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://telegram.me/n1ds03", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://telegram.me/n1ds03", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780465341.7797701 }