{ "type": "URL", "indicator": "https://this.iframe.document.open", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://this.iframe.document.open", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3500772937, "indicator": "https://this.iframe.document.open", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68341d93e12cc9934920d926", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:51:47.680000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 551, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68301c551b7142ed4a4df383", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-22T06:00:07.389000", "created": "2025-05-23T06:57:25.188000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676b5a7cd903a3fec3a68ba7", "name": "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview", "description": "We use cookies to store information on our website, but we do not store any personally identifiable data, so we may use them to monitor how we interact with your browser and send messages to our users.", "modified": "2025-05-14T21:23:57.367000", "created": "2024-12-25T01:06:04.499000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "nothreat osint", "znaleziono cz", "werdykt brak", "duration", "analytics", "reject all", "cookie ga", "file details", "url details", "rules extracted", "alexa" ], "references": [ "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-SHA256": 88, "domain": 8, "hostname": 16 }, "indicator_count": 182, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c231f263ca042121a81827", "name": "oracle is shocking", "description": "", "modified": "2022-08-03T00:05:10.569000", "created": "2022-07-04T00:18:58.267000", "tags": [ "span", "section", "button", "tbody", "script", "path", "java", "archive", "download", "cc02v0", "meta", "installer", "date", "iframe", "contact", "form", "service", "critical", "close", "alpha", "false", "click", "main", "energy", "life", "media", "write", "back", "widget", "tools", "protect", "april", "python", "ukraine", "indonesia", "middle", "facebook", "twitter" ], "references": [ "oracle com downl # java.pdf", "www.oracle.com - urlscan.io.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 956, "FileHash-SHA256": 237, "hostname": 197, "domain": 59, "FileHash-MD5": 2 }, "indicator_count": 1451, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html", "oracle com downl # java.pdf", "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled", "www.oracle.com - urlscan.io.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Insikt" ], "malware_families": [ "Hta hatvibe", "Hatvibe", "Cases prevent" ], "industries": [ "Defense", "Government", "Military" ], "unique_indicators": 1691 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/document.open", "whois": "http://whois.domaintools.com/document.open", "domain": "document.open", "hostname": "this.iframe.document.open" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68341d93e12cc9934920d926", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-25T07:01:11.856000", "created": "2025-05-26T07:51:47.680000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 551, "modified_text": "342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68301c551b7142ed4a4df383", "name": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "description": "Russia-Aligned TAG-110, a Russia-aligned cyber-espionage group linked to APT28, is targeting Tajikistan, according to a new report from Insikt Group.", "modified": "2025-06-22T06:00:07.389000", "created": "2025-05-23T06:57:25.188000", "tags": [ "tag110", "sub procedure", "insikt group", "future", "tajikistan", "word", "microsoft word", "hatvibe", "central asia", "word startup", "template", "february", "kremlin", "copy", "soar", "insikt", "cases prevent", "hta hatvibe" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "public": 1, "adversary": "Insikt", "targeted_countries": [ "Tajikistan", "Russian Federation", "Kazakhstan", "Uzbekistan" ], "malware_families": [ { "id": "Cases Prevent", "display_name": "Cases Prevent", "target": null }, { "id": "HTA HATVIBE", "display_name": "HTA HATVIBE", "target": null }, { "id": "HATVIBE", "display_name": "HATVIBE", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Defense", "Military" ], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 22, "domain": 22, "hostname": 10 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676b5a7cd903a3fec3a68ba7", "name": "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview", "description": "We use cookies to store information on our website, but we do not store any personally identifiable data, so we may use them to monitor how we interact with your browser and send messages to our users.", "modified": "2025-05-14T21:23:57.367000", "created": "2024-12-25T01:06:04.499000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "nothreat osint", "znaleziono cz", "werdykt brak", "duration", "analytics", "reject all", "cookie ga", "file details", "url details", "rules extracted", "alexa" ], "references": [ "fec126b5fc67fefdf27ad52ae8c829836f47d29eef6eea8f77c86c996969a9da - Overview.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-SHA256": 88, "domain": 8, "hostname": 16 }, "indicator_count": 182, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c231f263ca042121a81827", "name": "oracle is shocking", "description": "", "modified": "2022-08-03T00:05:10.569000", "created": "2022-07-04T00:18:58.267000", "tags": [ "span", "section", "button", "tbody", "script", "path", "java", "archive", "download", "cc02v0", "meta", "installer", "date", "iframe", "contact", "form", "service", "critical", "close", "alpha", "false", "click", "main", "energy", "life", "media", "write", "back", "widget", "tools", "protect", "april", "python", "ukraine", "indonesia", "middle", "facebook", "twitter" ], "references": [ "oracle com downl # java.pdf", "www.oracle.com - urlscan.io.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 956, "FileHash-SHA256": 237, "hostname": 197, "domain": 59, "FileHash-MD5": 2 }, "indicator_count": 1451, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://this.iframe.document.open", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://this.iframe.document.open", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780430906.4533167 }