{ "type": "URL", "indicator": "https://vps3nter.ir/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://vps3nter.ir/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4146268245, "indicator": "https://vps3nter.ir/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "690cadc6a4a3c3370cc2e697", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-06T14:16:38.980000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386870, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690ce57d202db6de92b6e04a", "name": "Gootloader Resurfaces with Sophisticated Techniques", "description": "Gootloader malware campaign is back with sophisticated evasion techniques that\nallow it to bypass automated security analysis.", "modified": "2025-12-06T18:03:29.072000", "created": "2025-11-06T18:14:21.798000", "tags": [ "hxxps", "hashes", "hxxp" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "FileHash-SHA256": 12 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690d5f22270c494c68bcf199", "name": "IOC - Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T02:53:22.181000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690d7cf30b032ca8557dfec0", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T05:00:35.456000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "related": { "alienvault": { "adversary": [ "Storm-0494" ], "malware_families": [ "Quantum locker", "Zeppelin", "Gootloader - s1138", "Rhysida", "Alphv", "Supper socks5 backdoor", "Blackcat - s1068", "Noberus" ], "industries": [], "unique_indicators": 136 }, "other": { "adversary": [ "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "Storm-0494", "CryptoGen Cyber Threat Intelligence Advisory" ], "malware_families": [ "Quantum locker", "Zeppelin", "Gootloader - s1138", "Rhysida", "Alphv", "Supper socks5 backdoor", "Blackcat - s1068", "Gootloader", "Noberus", "Oysterloader" ], "industries": [], "unique_indicators": 974 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/vps3nter.ir", "whois": "http://whois.domaintools.com/vps3nter.ir", "domain": "vps3nter.ir", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "690cadc6a4a3c3370cc2e697", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a sophisticated JavaScript-based malware loader, has resurfaced with renewed activity. Used by threat actor Storm-0494, it grants access to Vanilla Tempest, which delivers various ransomware families. Recent infections have led to rapid domain controller compromises. The loader now uses custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploits WordPress comment endpoints for payload delivery. It has shifted to Startup folder persistence and employs extensive obfuscation techniques. Reconnaissance begins quickly after infection, followed by predictable attack patterns including AD enumeration, lateral movement, and potential ransomware preparation. The loader's delivery method and obfuscation techniques have evolved, making it more challenging to detect and analyze.", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-06T14:16:38.980000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 386870, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690ce57d202db6de92b6e04a", "name": "Gootloader Resurfaces with Sophisticated Techniques", "description": "Gootloader malware campaign is back with sophisticated evasion techniques that\nallow it to bypass automated security analysis.", "modified": "2025-12-06T18:03:29.072000", "created": "2025-11-06T18:14:21.798000", "tags": [ "hxxps", "hashes", "hxxp" ], "references": [], "public": 1, "adversary": "CryptoGen Cyber Threat Intelligence Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 62, "FileHash-SHA256": 12 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690d5f22270c494c68bcf199", "name": "IOC - Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T02:53:22.181000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690d7cf30b032ca8557dfec0", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "", "modified": "2025-12-06T14:01:00.062000", "created": "2025-11-07T05:00:35.456000", "tags": [ "vanilla tempest", "lateral movement", "noberus", "ransomware", "obfuscation", "gootloader", "quantum locker", "seo poisoning", "rhysida", "wordpress exploitation", "zeppelin", "javascript", "blackcat", "alphv", "supper socks5 backdoor" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "Storm-0494", "targeted_countries": [], "malware_families": [ { "id": "Gootloader - S1138", "display_name": "Gootloader - S1138", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat - S1068", "display_name": "BlackCat - S1068", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null }, { "id": "Noberus", "display_name": "Noberus", "target": null }, { "id": "Zeppelin", "display_name": "Zeppelin", "target": null }, { "id": "Quantum Locker", "display_name": "Quantum Locker", "target": null }, { "id": "Supper SOCKS5 Backdoor", "display_name": "Supper SOCKS5 Backdoor", "target": null } ], "attack_ids": [ { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "690cadc6a4a3c3370cc2e697", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 66, "FileHash-SHA256": 9, "domain": 41, "hostname": 13 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://vps3nter.ir/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://vps3nter.ir/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780398716.2996876 }