{ "type": "URL", "indicator": "https://unlockk.play-google-store.ru", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://unlockk.play-google-store.ru", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4147630960, "indicator": "https://unlockk.play-google-store.ru", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6911cdc11d3b1ec1aa03d9bf", "name": "Fantasy Hub: Another Russian Based RAT as Malware-as-a-Service", "description": "A new Android Remote Access Trojan called Fantasy Hub has been identified, sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The malware offers extensive device control and espionage capabilities, including SMS exfiltration, contact theft, call log access, and bulk image and video theft. It can intercept, reply to, and delete incoming notifications. The spyware is promoted online with detailed capabilities and instructions for creating fake Google Play pages to evade detection. Fantasy Hub targets financial institutions, deploying fake windows to obtain banking credentials. The MaaS model includes seller documentation, videos, and a bot-driven subscription system, making it accessible to novice attackers.", "modified": "2025-11-10T11:36:09.510000", "created": "2025-11-10T11:34:25.413000", "tags": [ "sms", "android", "financial", "banking", "spyware", "russian", "rat", "maas", "fantasy hub" ], "references": [ "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/hosts.csv", "https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s", "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/apks.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Fantasy Hub", "display_name": "Fantasy Hub", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 145, "URL": 12, "domain": 9, "hostname": 3 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 377765, "modified_text": "161 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6873708, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/hosts.csv", "https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s", "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/apks.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Fantasy hub" ], "industries": [ "Finance" ], "unique_indicators": 331 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 23355 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/play-google-store.ru", "whois": "http://whois.domaintools.com/play-google-store.ru", "domain": "play-google-store.ru", "hostname": "unlockk.play-google-store.ru" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6911cdc11d3b1ec1aa03d9bf", "name": "Fantasy Hub: Another Russian Based RAT as Malware-as-a-Service", "description": "A new Android Remote Access Trojan called Fantasy Hub has been identified, sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The malware offers extensive device control and espionage capabilities, including SMS exfiltration, contact theft, call log access, and bulk image and video theft. It can intercept, reply to, and delete incoming notifications. The spyware is promoted online with detailed capabilities and instructions for creating fake Google Play pages to evade detection. Fantasy Hub targets financial institutions, deploying fake windows to obtain banking credentials. The MaaS model includes seller documentation, videos, and a bot-driven subscription system, making it accessible to novice attackers.", "modified": "2025-11-10T11:36:09.510000", "created": "2025-11-10T11:34:25.413000", "tags": [ "sms", "android", "financial", "banking", "spyware", "russian", "rat", "maas", "fantasy hub" ], "references": [ "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/hosts.csv", "https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s", "https://github.com/Zimperium/IOC/blob/master/2025-11-FantasyHUB/apks.csv" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation" ], "malware_families": [ { "id": "Fantasy Hub", "display_name": "Fantasy Hub", "target": null } ], "attack_ids": [], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 145, "URL": 12, "domain": 9, "hostname": 3 }, "indicator_count": 331, "is_author": false, "is_subscribing": null, "subscriber_count": 377765, "modified_text": "161 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6873708, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://unlockk.play-google-store.ru", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://unlockk.play-google-store.ru", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776703272.1163752 }