{ "type": "URL", "indicator": "https://workshop-lighting-protective-customs.trycloudflare.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://workshop-lighting-protective-customs.trycloudflare.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4355126829, "indicator": "https://workshop-lighting-protective-customs.trycloudflare.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a0200aec25a59a6b9d4edcf", "name": "Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.", "modified": "2026-05-11T19:07:00.596000", "created": "2026-05-11T16:15:42.099000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10d1fc5451fc4019c6c286", "name": "trycloudflare", "description": "", "modified": "2026-05-22T22:00:28.654000", "created": "2026-05-22T22:00:28.654000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "IPv4": 3, "URL": 1485, "hostname": 936 }, "indicator_count": 2427, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a02ae77312d67a6a9e63304", "name": "Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "", "modified": "2026-05-12T04:37:11.554000", "created": "2026-05-12T04:37:11.554000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0200aec25a59a6b9d4edcf", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0295ebdc59096a44d95167", "name": "IOC - Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "", "modified": "2026-05-12T02:52:27.183000", "created": "2026-05-12T02:52:27.183000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0200aec25a59a6b9d4edcf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/", "IOCs.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Etherrat", "Rclone", "Netexec", "The gentlemen", "Tuktuk", "Mimikatz" ], "industries": [], "unique_indicators": 45 }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Etherrat", "Rclone", "Netexec", "The gentlemen", "Tuktuk", "Mimikatz" ], "industries": [], "unique_indicators": 3449 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trycloudflare.com", "whois": "http://whois.domaintools.com/trycloudflare.com", "domain": "trycloudflare.com", "hostname": "workshop-lighting-protective-customs.trycloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a0200aec25a59a6b9d4edcf", "name": "Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "An intrusion was observed in April 2026 where threat actors deployed EtherRAT malware through a malicious MSI installer disguised as a Sysinternals tool. The malware utilized Ethereum blockchain via EtherHiding for dynamic C2 configuration updates. Following reconnaissance activities, actors deployed TukTuk malware framework using DLL sideloading techniques with legitimate applications like Greenshot and SyncTrayzor. TukTuk established C2 channels through SaaS platforms including ClickHouse and Supabase, with backup channels via Ably, Dropbox, and GitHub Issues. The actors performed Kerberoasting, credential theft via Mimikatz and LSASS dumping, and deployed GoTo Resolve RMM tooling for lateral movement. Data exfiltration to Wasabi cloud storage was conducted using Rclone before deploying The Gentlemen ransomware domain-wide through a malicious GPO. The intrusion leveraged blockchain infrastructure, SaaS platforms, and decentralized services to evade traditional network defenses.", "modified": "2026-05-11T19:07:00.596000", "created": "2026-05-11T16:15:42.099000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10d1fc5451fc4019c6c286", "name": "trycloudflare", "description": "", "modified": "2026-05-22T22:00:28.654000", "created": "2026-05-22T22:00:28.654000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "IPv4": 3, "URL": 1485, "hostname": 936 }, "indicator_count": 2427, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a02ae77312d67a6a9e63304", "name": "Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "", "modified": "2026-05-12T04:37:11.554000", "created": "2026-05-12T04:37:11.554000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0200aec25a59a6b9d4edcf", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0295ebdc59096a44d95167", "name": "IOC - Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware", "description": "", "modified": "2026-05-12T02:52:27.183000", "created": "2026-05-12T02:52:27.183000", "tags": [ "kerberoasting", "ethereum", "mimikatz", "cve-2025-55182", "netexec", "the gentlemen ransomware", "saas abuse", "tuktuk", "the gentlemen", "rclone", "dll sideloading", "blockchain c2", "etherrat" ], "references": [ "https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "TukTuk", "display_name": "TukTuk", "target": null }, { "id": "The Gentlemen", "display_name": "The Gentlemen", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null }, { "id": "NetExec", "display_name": "NetExec", "target": null }, { "id": "Rclone", "display_name": "Rclone", "target": null } ], "attack_ids": [ { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1003.003", "name": "NTDS", "display_name": "T1003.003 - NTDS" }, { "id": "T1558.003", "name": "Kerberoasting", "display_name": "T1558.003 - Kerberoasting" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "6a0200aec25a59a6b9d4edcf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 11, "domain": 2, "hostname": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://workshop-lighting-protective-customs.trycloudflare.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://workshop-lighting-protective-customs.trycloudflare.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780206519.5809243 }