{ "type": "URL", "indicator": "https://www.andrXXXXXX.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.andrXXXXXX.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329186176, "indicator": "https://www.andrXXXXXX.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee1b8d70072b91528704c9", "name": "The Shadow of GGBond : Suspected Supply Chain Attack on Official Installer of a Virtual Mobile Service Provider", "description": "The RedDrip Team of the QiAnXin Threat Intelligence Center has identified a supply chain attack involving the official installer for a virtual mobile service provider, which occurred between February and late March 2026. During this period, the installer was compromised, leading to substantial breaches affecting various government and enterprise endpoints. The method of attack featured a malicious installer designed as a multi-layer Trojan loader, dubbed GGBond Rat, which exploited the compromised installer framework. The command and control (C2) domain associated with this threat was noted to be hosted on Cloudflare CDN and ranked among the top 1 million domains on OpenDNS.", "modified": "2026-04-26T14:05:01.470000", "created": "2026-04-26T14:05:01.470000", "tags": [ "qianxin threat", "trojan", "c2 domain", "udp packet", "impact scope", "reddrip team", "february", "march", "download url", "url path", "dropper", "ggbond" ], "references": [ "https://ti.qianxin.com/blog/articles/supply-chain-attack-on-official-installer-of-a-virtual-mobile-service-provider-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [ "Government", "Education", "Information Technology", "Construction", "Finance", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 2, "hostname": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://ti.qianxin.com/blog/articles/supply-chain-attack-on-official-installer-of-a-virtual-mobile-service-provider-en/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [ "Finance", "Government", "Education", "Construction", "Energy", "Information technology" ], "unique_indicators": 1005 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/andrXXXXXX.com", "whois": "http://whois.domaintools.com/andrXXXXXX.com", "domain": "andrXXXXXX.com", "hostname": "www.andrXXXXXX.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee1b8d70072b91528704c9", "name": "The Shadow of GGBond : Suspected Supply Chain Attack on Official Installer of a Virtual Mobile Service Provider", "description": "The RedDrip Team of the QiAnXin Threat Intelligence Center has identified a supply chain attack involving the official installer for a virtual mobile service provider, which occurred between February and late March 2026. During this period, the installer was compromised, leading to substantial breaches affecting various government and enterprise endpoints. The method of attack featured a malicious installer designed as a multi-layer Trojan loader, dubbed GGBond Rat, which exploited the compromised installer framework. The command and control (C2) domain associated with this threat was noted to be hosted on Cloudflare CDN and ranked among the top 1 million domains on OpenDNS.", "modified": "2026-04-26T14:05:01.470000", "created": "2026-04-26T14:05:01.470000", "tags": [ "qianxin threat", "trojan", "c2 domain", "udp packet", "impact scope", "reddrip team", "february", "march", "download url", "url path", "dropper", "ggbond" ], "references": [ "https://ti.qianxin.com/blog/articles/supply-chain-attack-on-official-installer-of-a-virtual-mobile-service-provider-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [ "Government", "Education", "Information Technology", "Construction", "Finance", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 2, "hostname": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.andrXXXXXX.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.andrXXXXXX.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180358.1754735 }