{ "type": "URL", "indicator": "https://tydime.io/api.php'", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tydime.io/api.php'", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3942011148, "indicator": "https://tydime.io/api.php'", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66bf0c02bc4cb78c8570dc93", "name": "Campaign uses infostealers and clippers for financial gain", "description": "Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and StealC, as well as clippers. In addition to distributing malware, the campaigns trick victims into providing credentials and linking cryptocurrency wallets to drain funds. The analysis covers three active sub-campaigns involving multistage malware, process injection, and various evasion techniques.", "modified": "2024-09-15T08:01:38.066000", "created": "2024-08-16T08:21:22.365000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 187, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386489, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c593c747680e104d2a52b9", "name": "Tusk: unraveling a complex infostealer campaign", "description": "", "modified": "2024-09-15T08:01:38.066000", "created": "2024-08-21T07:14:15.451000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66bf0c02bc4cb78c8570dc93", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d80a14da27c334dfa346d3", "name": "Tusk: unraveling a complex infostealer campaign", "description": "", "modified": "2024-09-15T08:01:38.066000", "created": "2024-09-04T07:19:48.825000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66c593c747680e104d2a52b9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Stealc", "Danabot" ], "industries": [], "unique_indicators": 61 }, "other": { "adversary": [], "malware_families": [ "Stealc", "Danabot" ], "industries": [], "unique_indicators": 61 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tydime.io", "whois": "http://whois.domaintools.com/tydime.io", "domain": "tydime.io", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66bf0c02bc4cb78c8570dc93", "name": "Campaign uses infostealers and clippers for financial gain", "description": "Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and StealC, as well as clippers. In addition to distributing malware, the campaigns trick victims into providing credentials and linking cryptocurrency wallets to drain funds. The analysis covers three active sub-campaigns involving multistage malware, process injection, and various evasion techniques.", "modified": "2024-09-15T08:01:38.066000", "created": "2024-08-16T08:21:22.365000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 187, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 386489, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c593c747680e104d2a52b9", "name": "Tusk: unraveling a complex infostealer campaign", "description": "", "modified": "2024-09-15T08:01:38.066000", "created": "2024-08-21T07:14:15.451000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66bf0c02bc4cb78c8570dc93", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d80a14da27c334dfa346d3", "name": "Tusk: unraveling a complex infostealer campaign", "description": "", "modified": "2024-09-15T08:01:38.066000", "created": "2024-09-04T07:19:48.825000", "tags": [ "evasion", "stealc", "phishing", "clipper", "injection", "danabot", "russian", "infostealer", "cryptocurrency" ], "references": [ "https://securelist.com/tusk-infostealers-campaign/113367/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Danabot", "display_name": "Danabot", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null } ], "attack_ids": [ { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "66c593c747680e104d2a52b9", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 2, "URL": 1, "domain": 24, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 21 }, "indicator_count": 53, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tydime.io/api.php'", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tydime.io/api.php'", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211347.2758608 }