{ "type": "URL", "indicator": "https://www.adlice.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.adlice.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4040208039, "indicator": "https://www.adlice.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "67bca4fe0cbf1d5eb3d6095e", "name": "Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign", "description": "Attackers are exploiting a legacy Truesight driver, deploying over 2,500 variants to disable security software on Windows systems.\n\nThis large-scale abuse highlights the urgency of securing outdated drivers and enforcing stricter security policies.\n\nCheck Point Research found that attackers modify Truesight.sys v2.0.2 to bypass Windows protections, evade the Microsoft Blocklist, and deploy malware like Gh0st RAT. Most victims are in China and Asia. Microsoft updated its blocklist on Dec. 17, 2024, to counteract this threat.", "modified": "2025-03-26T16:02:23.911000", "created": "2025-02-24T16:57:34.560000", "tags": [ "edrav killer", "gh0st rat", "stage3", "truesight", "tbs hash", "stage2", "adlice", "null", "signer", "china", "vmprotect", "dword", "first", "june", "darkside", "virustotal", "stages", "trojan", "gh0st" ], "references": [ "https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "Singapore", "Taiwan" ], "malware_families": [ { "id": "Gh0st", "display_name": "Gh0st", "target": null }, { "id": "Truesight", "display_name": "Truesight", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "URL": 6, "domain": 2, "hostname": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Gh0st", "Truesight" ], "industries": [], "unique_indicators": 22 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/adlice.com", "whois": "http://whois.domaintools.com/adlice.com", "domain": "adlice.com", "hostname": "www.adlice.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "67bca4fe0cbf1d5eb3d6095e", "name": "Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign", "description": "Attackers are exploiting a legacy Truesight driver, deploying over 2,500 variants to disable security software on Windows systems.\n\nThis large-scale abuse highlights the urgency of securing outdated drivers and enforcing stricter security policies.\n\nCheck Point Research found that attackers modify Truesight.sys v2.0.2 to bypass Windows protections, evade the Microsoft Blocklist, and deploy malware like Gh0st RAT. Most victims are in China and Asia. Microsoft updated its blocklist on Dec. 17, 2024, to counteract this threat.", "modified": "2025-03-26T16:02:23.911000", "created": "2025-02-24T16:57:34.560000", "tags": [ "edrav killer", "gh0st rat", "stage3", "truesight", "tbs hash", "stage2", "adlice", "null", "signer", "china", "vmprotect", "dword", "first", "june", "darkside", "virustotal", "stages", "trojan", "gh0st" ], "references": [ "https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "Singapore", "Taiwan" ], "malware_families": [ { "id": "Gh0st", "display_name": "Gh0st", "target": null }, { "id": "Truesight", "display_name": "Truesight", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "URL": 6, "domain": 2, "hostname": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "433 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.adlice.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.adlice.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780497614.0185134 }