{ "type": "URL", "indicator": "https://www.americanexpress.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.americanexpress.com", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #139", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3095", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain americanexpress.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain americanexpress.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3474386856, "indicator": "https://www.americanexpress.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a145b9ffef9badee960932", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:25.914000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "domain": 15, "hostname": 8, "FileHash-SHA256": 1, "CVE": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a145ba89a2b4af5a0aa721", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:26.222000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 33, "hostname": 29, "FileHash-SHA256": 91, "FileHash-MD5": 1, "FileHash-SHA1": 20, "CVE": 14, "email": 1 }, "indicator_count": 280, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62abc1b6bf034a31f2fc28ed", "name": "Twitter Feed - AP_Zenmashi - 16-06-2022", "description": "", "modified": "2022-07-16T23:03:49.026000", "created": "2022-06-16T23:50:14.310000", "tags": [ "phishing" ], "references": [ "https://twitter.com/AP_Zenmashi/status/1537240926157828096", "https://twitter.com/AP_Zenmashi/status/1537241106328748032", "https://twitter.com/AP_Zenmashi/status/1537241268367294464", "https://twitter.com/AP_Zenmashi/status/1537241435229294592", "https://twitter.com/AP_Zenmashi/status/1537241590296887296", "https://twitter.com/AP_Zenmashi/status/1537241811047313409", "https://twitter.com/AP_Zenmashi/status/1537248217733050370", "https://twitter.com/AP_Zenmashi/status/1537248381546168320", "https://twitter.com/AP_Zenmashi/status/1537248531831848960", "https://twitter.com/AP_Zenmashi/status/1537248679975088128", "https://twitter.com/AP_Zenmashi/status/1537256326912389121", "https://twitter.com/AP_Zenmashi/status/1537263856225239041", "https://twitter.com/AP_Zenmashi/status/1537264130075131905", "https://twitter.com/AP_Zenmashi/status/1537264282789826560", "https://twitter.com/AP_Zenmashi/status/1537264446904872960", "https://twitter.com/AP_Zenmashi/status/1537264645605470208", "https://twitter.com/AP_Zenmashi/status/1537278520157605888", "https://twitter.com/AP_Zenmashi/status/1537285970675912704", "https://twitter.com/AP_Zenmashi/status/1537286349270953985", "https://twitter.com/AP_Zenmashi/status/1537293697963872256", "https://twitter.com/AP_Zenmashi/status/1537294597344624643", "https://twitter.com/AP_Zenmashi/status/1537294801875267584", "https://twitter.com/AP_Zenmashi/status/1537301363826491392", "https://twitter.com/AP_Zenmashi/status/1537308846351192064", "https://twitter.com/AP_Zenmashi/status/1537331372087332864", "https://twitter.com/AP_Zenmashi/status/1537339096078557184", "https://twitter.com/AP_Zenmashi/status/1537339302157332480", "https://twitter.com/AP_Zenmashi/status/1537339698687135744", "https://twitter.com/AP_Zenmashi/status/1537353830782083074", "https://twitter.com/AP_Zenmashi/status/1537354208378519554", "https://twitter.com/AP_Zenmashi/status/1537370326438670336", "https://twitter.com/AP_Zenmashi/status/1537384216987860993", "https://twitter.com/AP_Zenmashi/status/1537384477155962881", "https://twitter.com/AP_Zenmashi/status/1537384708299841539", "https://twitter.com/AP_Zenmashi/status/1537384858074628096", "https://twitter.com/AP_Zenmashi/status/1537385046424055808", "https://twitter.com/AP_Zenmashi/status/1537385211801239552", "https://twitter.com/AP_Zenmashi/status/1537392256306802689", "https://twitter.com/AP_Zenmashi/status/1537392473269747713", "https://twitter.com/AP_Zenmashi/status/1537392671630962688", "https://twitter.com/AP_Zenmashi/status/1537392879379058689", "https://twitter.com/AP_Zenmashi/status/1537393110921408512", "https://twitter.com/AP_Zenmashi/status/1537393311106727936", "https://twitter.com/AP_Zenmashi/status/1537393518355746816", "https://twitter.com/AP_Zenmashi/status/1537393732915699715", "https://twitter.com/AP_Zenmashi/status/1537393943956303874", "https://twitter.com/AP_Zenmashi/status/1537394150278336513", "https://twitter.com/AP_Zenmashi/status/1537394355828576256", "https://twitter.com/AP_Zenmashi/status/1537394563169787908", "https://twitter.com/AP_Zenmashi/status/1537394777997488128", "https://twitter.com/AP_Zenmashi/status/1537394972030533633", "https://twitter.com/AP_Zenmashi/status/1537395141186830336", "https://twitter.com/AP_Zenmashi/status/1537395310367870977", "https://twitter.com/AP_Zenmashi/status/1537395533542998016", "https://twitter.com/AP_Zenmashi/status/1537395789626249218", "https://twitter.com/AP_Zenmashi/status/1537396025677475840", "https://twitter.com/AP_Zenmashi/status/1537396761643601921", "https://twitter.com/AP_Zenmashi/status/1537399445817479169", "https://twitter.com/AP_Zenmashi/status/1537399928476954626", "https://twitter.com/AP_Zenmashi/status/1537400179447324674", "https://twitter.com/AP_Zenmashi/status/1537400407387176960", "https://twitter.com/AP_Zenmashi/status/1537400648181829635", "https://twitter.com/AP_Zenmashi/status/1537400882559877122", "https://twitter.com/AP_Zenmashi/status/1537401401575616512", "https://twitter.com/AP_Zenmashi/status/1537401923896496128", "https://twitter.com/AP_Zenmashi/status/1537402417918058496", "https://twitter.com/AP_Zenmashi/status/1537403367462383616", "https://twitter.com/AP_Zenmashi/status/1537404239152304128", "https://twitter.com/AP_Zenmashi/status/1537407148694847490", "https://twitter.com/AP_Zenmashi/status/1537407271994392577", "https://twitter.com/AP_Zenmashi/status/1537407533807468545", "https://twitter.com/AP_Zenmashi/status/1537414535161663488", "https://twitter.com/AP_Zenmashi/status/1537429820015276034", "https://twitter.com/AP_Zenmashi/status/1537445792486952960", "https://twitter.com/AP_Zenmashi/status/1537446179398504453", "https://twitter.com/AP_Zenmashi/status/1537459977916674048", "https://twitter.com/AP_Zenmashi/status/1537460124087791616", "https://twitter.com/AP_Zenmashi/status/1537482599190319104", "https://twitter.com/AP_Zenmashi/status/1537490474075729920", "https://twitter.com/AP_Zenmashi/status/1537505158388908032", "https://twitter.com/AP_Zenmashi/status/1537505480528265216", "https://twitter.com/AP_Zenmashi/status/1537505697629614080", "https://twitter.com/AP_Zenmashi/status/1537505837086031877", "https://twitter.com/AP_Zenmashi/status/1537506043835879424", "https://twitter.com/AP_Zenmashi/status/1537519971345268736", "https://twitter.com/AP_Zenmashi/status/1537558092467933184", "https://twitter.com/AP_Zenmashi/status/1537558326023966721", "https://twitter.com/AP_Zenmashi/status/1537559116268249088", "https://twitter.com/AP_Zenmashi/status/1537572914467246080", "https://twitter.com/AP_Zenmashi/status/1537573080264224768", "https://twitter.com/AP_Zenmashi/status/1537573239534153728", "https://twitter.com/AP_Zenmashi/status/1537573437270786048" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 87 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/AP_Zenmashi/status/1537264130075131905", "https://twitter.com/AP_Zenmashi/status/1537459977916674048", "https://twitter.com/AP_Zenmashi/status/1537331372087332864", "https://twitter.com/AP_Zenmashi/status/1537241268367294464", "https://twitter.com/AP_Zenmashi/status/1537384477155962881", "https://twitter.com/AP_Zenmashi/status/1537395789626249218", "https://twitter.com/AP_Zenmashi/status/1537559116268249088", "https://twitter.com/AP_Zenmashi/status/1537384858074628096", "https://twitter.com/AP_Zenmashi/status/1537505697629614080", "https://twitter.com/AP_Zenmashi/status/1537573239534153728", "https://twitter.com/AP_Zenmashi/status/1537490474075729920", "https://twitter.com/AP_Zenmashi/status/1537392879379058689", "https://twitter.com/AP_Zenmashi/status/1537393943956303874", "https://twitter.com/AP_Zenmashi/status/1537396761643601921", "https://twitter.com/AP_Zenmashi/status/1537339096078557184", "https://twitter.com/AP_Zenmashi/status/1537263856225239041", "https://twitter.com/AP_Zenmashi/status/1537505480528265216", "https://twitter.com/AP_Zenmashi/status/1537308846351192064", "https://twitter.com/AP_Zenmashi/status/1537505158388908032", "https://twitter.com/AP_Zenmashi/status/1537240926157828096", "https://twitter.com/AP_Zenmashi/status/1537294801875267584", "https://twitter.com/AP_Zenmashi/status/1537400648181829635", "https://twitter.com/AP_Zenmashi/status/1537286349270953985", "https://twitter.com/AP_Zenmashi/status/1537393110921408512", "https://twitter.com/AP_Zenmashi/status/1537264282789826560", "https://twitter.com/AP_Zenmashi/status/1537248679975088128", "https://twitter.com/AP_Zenmashi/status/1537407271994392577", "https://twitter.com/AP_Zenmashi/status/1537393732915699715", "https://twitter.com/AP_Zenmashi/status/1537339698687135744", "https://twitter.com/AP_Zenmashi/status/1537264446904872960", "https://twitter.com/AP_Zenmashi/status/1537402417918058496", "https://twitter.com/AP_Zenmashi/status/1537241811047313409", "https://twitter.com/AP_Zenmashi/status/1537396025677475840", "https://twitter.com/AP_Zenmashi/status/1537394150278336513", "https://twitter.com/AP_Zenmashi/status/1537399445817479169", "https://twitter.com/AP_Zenmashi/status/1537482599190319104", "https://twitter.com/AP_Zenmashi/status/1537394777997488128", "https://twitter.com/AP_Zenmashi/status/1537401923896496128", "https://twitter.com/AP_Zenmashi/status/1537429820015276034", "https://twitter.com/AP_Zenmashi/status/1537256326912389121", "https://twitter.com/AP_Zenmashi/status/1537401401575616512", "https://twitter.com/AP_Zenmashi/status/1537370326438670336", "https://twitter.com/AP_Zenmashi/status/1537446179398504453", "https://twitter.com/AP_Zenmashi/status/1537407533807468545", "https://twitter.com/AP_Zenmashi/status/1537293697963872256", "https://twitter.com/AP_Zenmashi/status/1537384216987860993", "https://twitter.com/AP_Zenmashi/status/1537519971345268736", "https://twitter.com/AP_Zenmashi/status/1537395141186830336", "https://twitter.com/AP_Zenmashi/status/1537414535161663488", "https://twitter.com/AP_Zenmashi/status/1537506043835879424", "https://twitter.com/AP_Zenmashi/status/1537241106328748032", "https://twitter.com/AP_Zenmashi/status/1537248381546168320", "https://twitter.com/AP_Zenmashi/status/1537392473269747713", "https://twitter.com/AP_Zenmashi/status/1537392256306802689", "https://twitter.com/AP_Zenmashi/status/1537395310367870977", "https://twitter.com/AP_Zenmashi/status/1537248217733050370", "https://twitter.com/AP_Zenmashi/status/1537294597344624643", "https://twitter.com/AP_Zenmashi/status/1537393518355746816", "https://twitter.com/AP_Zenmashi/status/1537394563169787908", "https://twitter.com/AP_Zenmashi/status/1537407148694847490", "https://twitter.com/AP_Zenmashi/status/1537385211801239552", "https://twitter.com/AP_Zenmashi/status/1537353830782083074", "https://twitter.com/AP_Zenmashi/status/1537392671630962688", "https://twitter.com/AP_Zenmashi/status/1537573080264224768", "https://twitter.com/AP_Zenmashi/status/1537264645605470208", "https://twitter.com/AP_Zenmashi/status/1537400407387176960", "https://twitter.com/AP_Zenmashi/status/1537445792486952960", "https://twitter.com/AP_Zenmashi/status/1537393311106727936", "https://twitter.com/AP_Zenmashi/status/1537572914467246080", "https://twitter.com/AP_Zenmashi/status/1537558092467933184", "https://twitter.com/AP_Zenmashi/status/1537395533542998016", "https://twitter.com/AP_Zenmashi/status/1537301363826491392", "https://twitter.com/AP_Zenmashi/status/1537505837086031877", "https://twitter.com/AP_Zenmashi/status/1537278520157605888", "https://twitter.com/AP_Zenmashi/status/1537285970675912704", "https://twitter.com/AP_Zenmashi/status/1537400882559877122", "https://twitter.com/AP_Zenmashi/status/1537384708299841539", "https://twitter.com/AP_Zenmashi/status/1537399928476954626", "https://twitter.com/AP_Zenmashi/status/1537460124087791616", "https://twitter.com/AP_Zenmashi/status/1537573437270786048", "https://twitter.com/AP_Zenmashi/status/1537354208378519554", "https://twitter.com/AP_Zenmashi/status/1537394355828576256", "https://twitter.com/AP_Zenmashi/status/1537339302157332480", "https://twitter.com/AP_Zenmashi/status/1537385046424055808", "https://twitter.com/AP_Zenmashi/status/1537241435229294592", "https://twitter.com/AP_Zenmashi/status/1537248531831848960", "https://twitter.com/AP_Zenmashi/status/1537241590296887296", "https://twitter.com/AP_Zenmashi/status/1537404239152304128", "https://twitter.com/AP_Zenmashi/status/1537394972030533633", "https://twitter.com/AP_Zenmashi/status/1537403367462383616", "https://twitter.com/AP_Zenmashi/status/1537558326023966721", "https://twitter.com/AP_Zenmashi/status/1537400179447324674" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 12677 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/americanexpress.com", "whois": "http://whois.domaintools.com/americanexpress.com", "domain": "americanexpress.com", "hostname": "www.americanexpress.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a145b9ffef9badee960932", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:25.914000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "domain": 15, "hostname": 8, "FileHash-SHA256": 1, "CVE": 1 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a145ba89a2b4af5a0aa721", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:26.222000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 33, "hostname": 29, "FileHash-SHA256": 91, "FileHash-MD5": 1, "FileHash-SHA1": 20, "CVE": 14, "email": 1 }, "indicator_count": 280, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62abc1b6bf034a31f2fc28ed", "name": "Twitter Feed - AP_Zenmashi - 16-06-2022", "description": "", "modified": "2022-07-16T23:03:49.026000", "created": "2022-06-16T23:50:14.310000", "tags": [ "phishing" ], "references": [ "https://twitter.com/AP_Zenmashi/status/1537240926157828096", "https://twitter.com/AP_Zenmashi/status/1537241106328748032", "https://twitter.com/AP_Zenmashi/status/1537241268367294464", "https://twitter.com/AP_Zenmashi/status/1537241435229294592", "https://twitter.com/AP_Zenmashi/status/1537241590296887296", "https://twitter.com/AP_Zenmashi/status/1537241811047313409", "https://twitter.com/AP_Zenmashi/status/1537248217733050370", "https://twitter.com/AP_Zenmashi/status/1537248381546168320", "https://twitter.com/AP_Zenmashi/status/1537248531831848960", "https://twitter.com/AP_Zenmashi/status/1537248679975088128", "https://twitter.com/AP_Zenmashi/status/1537256326912389121", "https://twitter.com/AP_Zenmashi/status/1537263856225239041", "https://twitter.com/AP_Zenmashi/status/1537264130075131905", "https://twitter.com/AP_Zenmashi/status/1537264282789826560", "https://twitter.com/AP_Zenmashi/status/1537264446904872960", "https://twitter.com/AP_Zenmashi/status/1537264645605470208", "https://twitter.com/AP_Zenmashi/status/1537278520157605888", "https://twitter.com/AP_Zenmashi/status/1537285970675912704", "https://twitter.com/AP_Zenmashi/status/1537286349270953985", "https://twitter.com/AP_Zenmashi/status/1537293697963872256", "https://twitter.com/AP_Zenmashi/status/1537294597344624643", "https://twitter.com/AP_Zenmashi/status/1537294801875267584", "https://twitter.com/AP_Zenmashi/status/1537301363826491392", "https://twitter.com/AP_Zenmashi/status/1537308846351192064", "https://twitter.com/AP_Zenmashi/status/1537331372087332864", "https://twitter.com/AP_Zenmashi/status/1537339096078557184", "https://twitter.com/AP_Zenmashi/status/1537339302157332480", "https://twitter.com/AP_Zenmashi/status/1537339698687135744", "https://twitter.com/AP_Zenmashi/status/1537353830782083074", "https://twitter.com/AP_Zenmashi/status/1537354208378519554", "https://twitter.com/AP_Zenmashi/status/1537370326438670336", "https://twitter.com/AP_Zenmashi/status/1537384216987860993", "https://twitter.com/AP_Zenmashi/status/1537384477155962881", "https://twitter.com/AP_Zenmashi/status/1537384708299841539", "https://twitter.com/AP_Zenmashi/status/1537384858074628096", "https://twitter.com/AP_Zenmashi/status/1537385046424055808", "https://twitter.com/AP_Zenmashi/status/1537385211801239552", "https://twitter.com/AP_Zenmashi/status/1537392256306802689", "https://twitter.com/AP_Zenmashi/status/1537392473269747713", "https://twitter.com/AP_Zenmashi/status/1537392671630962688", "https://twitter.com/AP_Zenmashi/status/1537392879379058689", "https://twitter.com/AP_Zenmashi/status/1537393110921408512", "https://twitter.com/AP_Zenmashi/status/1537393311106727936", "https://twitter.com/AP_Zenmashi/status/1537393518355746816", "https://twitter.com/AP_Zenmashi/status/1537393732915699715", "https://twitter.com/AP_Zenmashi/status/1537393943956303874", "https://twitter.com/AP_Zenmashi/status/1537394150278336513", "https://twitter.com/AP_Zenmashi/status/1537394355828576256", "https://twitter.com/AP_Zenmashi/status/1537394563169787908", "https://twitter.com/AP_Zenmashi/status/1537394777997488128", "https://twitter.com/AP_Zenmashi/status/1537394972030533633", "https://twitter.com/AP_Zenmashi/status/1537395141186830336", "https://twitter.com/AP_Zenmashi/status/1537395310367870977", "https://twitter.com/AP_Zenmashi/status/1537395533542998016", "https://twitter.com/AP_Zenmashi/status/1537395789626249218", "https://twitter.com/AP_Zenmashi/status/1537396025677475840", "https://twitter.com/AP_Zenmashi/status/1537396761643601921", "https://twitter.com/AP_Zenmashi/status/1537399445817479169", "https://twitter.com/AP_Zenmashi/status/1537399928476954626", "https://twitter.com/AP_Zenmashi/status/1537400179447324674", "https://twitter.com/AP_Zenmashi/status/1537400407387176960", "https://twitter.com/AP_Zenmashi/status/1537400648181829635", "https://twitter.com/AP_Zenmashi/status/1537400882559877122", "https://twitter.com/AP_Zenmashi/status/1537401401575616512", "https://twitter.com/AP_Zenmashi/status/1537401923896496128", "https://twitter.com/AP_Zenmashi/status/1537402417918058496", "https://twitter.com/AP_Zenmashi/status/1537403367462383616", "https://twitter.com/AP_Zenmashi/status/1537404239152304128", "https://twitter.com/AP_Zenmashi/status/1537407148694847490", "https://twitter.com/AP_Zenmashi/status/1537407271994392577", "https://twitter.com/AP_Zenmashi/status/1537407533807468545", "https://twitter.com/AP_Zenmashi/status/1537414535161663488", "https://twitter.com/AP_Zenmashi/status/1537429820015276034", "https://twitter.com/AP_Zenmashi/status/1537445792486952960", "https://twitter.com/AP_Zenmashi/status/1537446179398504453", "https://twitter.com/AP_Zenmashi/status/1537459977916674048", "https://twitter.com/AP_Zenmashi/status/1537460124087791616", "https://twitter.com/AP_Zenmashi/status/1537482599190319104", "https://twitter.com/AP_Zenmashi/status/1537490474075729920", "https://twitter.com/AP_Zenmashi/status/1537505158388908032", "https://twitter.com/AP_Zenmashi/status/1537505480528265216", "https://twitter.com/AP_Zenmashi/status/1537505697629614080", "https://twitter.com/AP_Zenmashi/status/1537505837086031877", "https://twitter.com/AP_Zenmashi/status/1537506043835879424", "https://twitter.com/AP_Zenmashi/status/1537519971345268736", "https://twitter.com/AP_Zenmashi/status/1537558092467933184", "https://twitter.com/AP_Zenmashi/status/1537558326023966721", "https://twitter.com/AP_Zenmashi/status/1537559116268249088", "https://twitter.com/AP_Zenmashi/status/1537572914467246080", "https://twitter.com/AP_Zenmashi/status/1537573080264224768", "https://twitter.com/AP_Zenmashi/status/1537573239534153728", "https://twitter.com/AP_Zenmashi/status/1537573437270786048" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 87 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.americanexpress.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.americanexpress.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224431.6458573 }