{ "type": "URL", "indicator": "https://www.criminalip.io", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.criminalip.io", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3778267666, "indicator": "https://www.criminalip.io", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660ca5d32acac1b3479417bb", "name": "import of VT Collection for posterity", "description": "Went ahead and compiled my VirusTotal Collection (see references) which is a list, only about 60% completed, of all IoC's I've collected from my past two year saga. Which, is seemingly, and ironically, starting to abate after the uncovering of agent Jian Tian on Github. I created a post on Arch's forum's which effectively turned into a rally to dig deeper and prod harder because this event is seemingly holding the key for myself and hopefully a lot of others out of the fever dream that has been the past 720 days, almost on the dot. Initial attack went loud April 8th, 2022. And it has been by far one of the weirdest experiences of my life. So hopefully this compilation and injection into the open source helps someone, somewhere. Cheers.", "modified": "2024-05-02T23:01:04.327000", "created": "2024-04-03T00:41:55.581000", "tags": [ "bangladesh http", "http", "formiesr02 http", "linkid252669", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "sample", "resource", "target", "size", "sha256", "sha1", "sha512", "ssdeep", "10 deletes", "general", "config", "copy", "please", "javascript" ], "references": [ "https://tria.ge/240402-zjrcladb42", "https://www.virustotal.com/gui/collection/700447bddc504b041ac32dac79a319f3f1768fe5fd3c5ef5fa1ad9bf296b3749", "https://www.virustotal.com/gui/file/a34050bc317c14db27c23a31d3b492847736e8dbbf3165b46e377f2f5b25abd2/behavior", "https://bbs.archlinux.org/viewtopic.php?id=294456" ], "public": 1, "adversary": "unknown, Chinese speaking", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Virus:Win32/Neshta", "display_name": "Virus:Win32/Neshta", "target": "/malware/Virus:Win32/Neshta" }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "#Trojan:Win32/Winnti", "display_name": "#Trojan:Win32/Winnti", "target": "/malware/#Trojan:Win32/Winnti" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cerberus", "display_name": "Cerberus", "target": null }, { "id": "TrojanDropper:O97M/AveMaria", "display_name": "TrojanDropper:O97M/AveMaria", "target": "/malware/TrojanDropper:O97M/AveMaria" }, { "id": "LD_Preload", "display_name": "LD_Preload", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "DoS:Linux/Xorddos", "display_name": "DoS:Linux/Xorddos", "target": "/malware/DoS:Linux/Xorddos" }, { "id": "Unknown", "display_name": "Unknown", "target": null }, { "id": "Unknown Crypted", "display_name": "Unknown Crypted", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Linux/Mirai", "display_name": "Trojan:Linux/Mirai", "target": "/malware/Trojan:Linux/Mirai" }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "berbrew", "display_name": "berbrew", "target": null }, { "id": "eldorado", "display_name": "eldorado", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Trojan:Win32/Vilsel", "display_name": "Trojan:Win32/Vilsel", "target": "/malware/Trojan:Win32/Vilsel" } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [ "full-spectrum" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 256, "FileHash-SHA1": 244, "FileHash-SHA256": 1623, "hostname": 200, "URL": 890, "domain": 321, "CVE": 2 }, "indicator_count": 3536, "is_author": false, "is_subscribing": null, "subscriber_count": 78, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654b48bb24c0698a054081f3", "name": "[Kimsuky] Operation Covert Stalker - ASEC BLOG", "description": "The Kimsuky group carried out covert and persistent hacking to achieve its purpose, according to a report published by AhnLab, South Korea\u2019s leading cyber-security research and intelligence agency.", "modified": "2023-12-08T08:02:48.494000", "created": "2023-11-08T08:37:15.964000", "tags": [ "ahnlab", "north korea", "kimsuky group", "military parade", "stalker", "cve20190708", "asec blog", "distribution", "malicious word", "file related", "april", "malware", "phishing", "quasar rat", "anydesk", "korean", "kimsuky", "quasar", "blackbit", "green dinosaur" ], "references": [ "https://asec.ahnlab.com/en/58654/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231101_Kimsuky_OP.-Covert-Stalker.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BlackBit", "display_name": "BlackBit", "target": null }, { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 78, "URL": 133, "FileHash-MD5": 100, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "email": 1, "hostname": 281 }, "indicator_count": 626, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654299f7fed5beb4cd937497", "name": "[Kimsuky] Operation Covert Stalker - ASEC BLOG", "description": "Kimsuky has posted an image of himself on Facebook, where he says he has been the victim of a series of high-profile cyber-attacks by Russian agents, including one on the BBC.", "modified": "2023-12-01T18:03:48.361000", "created": "2023-11-01T18:33:27.861000", "tags": [ "kimsuky", "cve20190708", "asec", "stalker", "windows", "rdp wrapper", "quasar rat", "ammy rat", "anydesk", "teamviewer" ], "references": [ "https://asec.ahnlab.com/ko/58231/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231101_Kimsuky_OP.-Covert-Stalker.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2wlab_talon", "id": "125133", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 78, "URL": 110, "FileHash-MD5": 100, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "email": 1, "hostname": 256 }, "indicator_count": 578, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://www.virustotal.com/gui/file/a34050bc317c14db27c23a31d3b492847736e8dbbf3165b46e377f2f5b25abd2/behavior", "https://tria.ge/240402-zjrcladb42", "https://www.virustotal.com/gui/collection/700447bddc504b041ac32dac79a319f3f1768fe5fd3c5ef5fa1ad9bf296b3749", "https://bbs.archlinux.org/viewtopic.php?id=294456", "https://asec.ahnlab.com/en/58654/", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "https://asec.ahnlab.com/ko/58231/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231101_Kimsuky_OP.-Covert-Stalker.pdf", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "unknown, Chinese speaking", "Kimsuky" ], "malware_families": [ "#trojan:win32/winnti", "Trojan:linux/rootkit", "Trojan:linux/xorddos", "Trojandropper:o97m/avemaria", "Trojan:win32/zusy", "Spyeye", "Trojan:win32/vilsel", "Green dinosaur", "Ld_preload", "Eldorado", "Cerberus", "Blackbit", "Ddos:linux/mirai", "Unknown", "Berbrew", "Emotet", "Tel:delphi/obfuscator", "Trojan:linux/mirai", "Virus:win32/neshta", "Unknown crypted", "Dos:linux/xorddos", "Quasar" ], "industries": [ "Hospitality", "Technology", "Healthcare", "Full-spectrum", "Finance", "Education", "Retail", "Government", "Telecommunications", "Transportation" ], "unique_indicators": 12654 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/criminalip.io", "whois": "http://whois.domaintools.com/criminalip.io", "domain": "criminalip.io", "hostname": "www.criminalip.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660ca5d32acac1b3479417bb", "name": "import of VT Collection for posterity", "description": "Went ahead and compiled my VirusTotal Collection (see references) which is a list, only about 60% completed, of all IoC's I've collected from my past two year saga. Which, is seemingly, and ironically, starting to abate after the uncovering of agent Jian Tian on Github. I created a post on Arch's forum's which effectively turned into a rally to dig deeper and prod harder because this event is seemingly holding the key for myself and hopefully a lot of others out of the fever dream that has been the past 720 days, almost on the dot. Initial attack went loud April 8th, 2022. And it has been by far one of the weirdest experiences of my life. So hopefully this compilation and injection into the open source helps someone, somewhere. Cheers.", "modified": "2024-05-02T23:01:04.327000", "created": "2024-04-03T00:41:55.581000", "tags": [ "bangladesh http", "http", "formiesr02 http", "linkid252669", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "sample", "resource", "target", "size", "sha256", "sha1", "sha512", "ssdeep", "10 deletes", "general", "config", "copy", "please", "javascript" ], "references": [ "https://tria.ge/240402-zjrcladb42", "https://www.virustotal.com/gui/collection/700447bddc504b041ac32dac79a319f3f1768fe5fd3c5ef5fa1ad9bf296b3749", "https://www.virustotal.com/gui/file/a34050bc317c14db27c23a31d3b492847736e8dbbf3165b46e377f2f5b25abd2/behavior", "https://bbs.archlinux.org/viewtopic.php?id=294456" ], "public": 1, "adversary": "unknown, Chinese speaking", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Linux/Xorddos", "display_name": "Trojan:Linux/Xorddos", "target": "/malware/Trojan:Linux/Xorddos" }, { "id": "Virus:Win32/Neshta", "display_name": "Virus:Win32/Neshta", "target": "/malware/Virus:Win32/Neshta" }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "#Trojan:Win32/Winnti", "display_name": "#Trojan:Win32/Winnti", "target": "/malware/#Trojan:Win32/Winnti" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cerberus", "display_name": "Cerberus", "target": null }, { "id": "TrojanDropper:O97M/AveMaria", "display_name": "TrojanDropper:O97M/AveMaria", "target": "/malware/TrojanDropper:O97M/AveMaria" }, { "id": "LD_Preload", "display_name": "LD_Preload", "target": null }, { "id": "Trojan:Linux/Rootkit", "display_name": "Trojan:Linux/Rootkit", "target": "/malware/Trojan:Linux/Rootkit" }, { "id": "DoS:Linux/Xorddos", "display_name": "DoS:Linux/Xorddos", "target": "/malware/DoS:Linux/Xorddos" }, { "id": "Unknown", "display_name": "Unknown", "target": null }, { "id": "Unknown Crypted", "display_name": "Unknown Crypted", "target": null }, { "id": "DDoS:Linux/Mirai", "display_name": "DDoS:Linux/Mirai", "target": "/malware/DDoS:Linux/Mirai" }, { "id": "Trojan:Linux/Mirai", "display_name": "Trojan:Linux/Mirai", "target": "/malware/Trojan:Linux/Mirai" }, { "id": "TEL:Delphi/Obfuscator", "display_name": "TEL:Delphi/Obfuscator", "target": "/malware/TEL:Delphi/Obfuscator" }, { "id": "berbrew", "display_name": "berbrew", "target": null }, { "id": "eldorado", "display_name": "eldorado", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Trojan:Win32/Vilsel", "display_name": "Trojan:Win32/Vilsel", "target": "/malware/Trojan:Win32/Vilsel" } ], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [ "full-spectrum" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 256, "FileHash-SHA1": 244, "FileHash-SHA256": 1623, "hostname": 200, "URL": 890, "domain": 321, "CVE": 2 }, "indicator_count": 3536, "is_author": false, "is_subscribing": null, "subscriber_count": 78, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654b48bb24c0698a054081f3", "name": "[Kimsuky] Operation Covert Stalker - ASEC BLOG", "description": "The Kimsuky group carried out covert and persistent hacking to achieve its purpose, according to a report published by AhnLab, South Korea\u2019s leading cyber-security research and intelligence agency.", "modified": "2023-12-08T08:02:48.494000", "created": "2023-11-08T08:37:15.964000", "tags": [ "ahnlab", "north korea", "kimsuky group", "military parade", "stalker", "cve20190708", "asec blog", "distribution", "malicious word", "file related", "april", "malware", "phishing", "quasar rat", "anydesk", "korean", "kimsuky", "quasar", "blackbit", "green dinosaur" ], "references": [ "https://asec.ahnlab.com/en/58654/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231101_Kimsuky_OP.-Covert-Stalker.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [ { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "BlackBit", "display_name": "BlackBit", "target": null }, { "id": "Green Dinosaur", "display_name": "Green Dinosaur", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 78, "URL": 133, "FileHash-MD5": 100, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "email": 1, "hostname": 281 }, "indicator_count": 626, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "905 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654299f7fed5beb4cd937497", "name": "[Kimsuky] Operation Covert Stalker - ASEC BLOG", "description": "Kimsuky has posted an image of himself on Facebook, where he says he has been the victim of a series of high-profile cyber-attacks by Russian agents, including one on the BBC.", "modified": "2023-12-01T18:03:48.361000", "created": "2023-11-01T18:33:27.861000", "tags": [ "kimsuky", "cve20190708", "asec", "stalker", "windows", "rdp wrapper", "quasar rat", "ammy rat", "anydesk", "teamviewer" ], "references": [ "https://asec.ahnlab.com/ko/58231/", "https://asec.ahnlab.com/wp-content/uploads/2023/10/20231101_Kimsuky_OP.-Covert-Stalker.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2wlab_talon", "id": "125133", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 78, "URL": 110, "FileHash-MD5": 100, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "email": 1, "hostname": 256 }, "indicator_count": 578, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.criminalip.io", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.criminalip.io", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780290862.4057856 }