{ "type": "URL", "indicator": "https://www.kyndryl.com/us/en", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.kyndryl.com/us/en", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3909579498, "indicator": "https://www.kyndryl.com/us/en", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "Server: Web redirection - http://loki.com/download", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Virtool:win32/ceeinject", "Win32:evo-gen\\ [susp]", "Win32:evo-gen", "Backdoor:msil/bladabindi", "Win.trojan.darkkomet-1", "Mirai" ], "industries": [ "Media", "Entertainment", "Technology" ], "unique_indicators": 17734 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/kyndryl.com", "whois": "http://whois.domaintools.com/kyndryl.com", "domain": "kyndryl.com", "hostname": "www.kyndryl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66762a4ccb10185d774ddbde", "name": "Lazarus Group - Emotet | Sony Music", "description": "Is the Lazarus Group still attacking Sony Music, affiliated, former, contacts, aspiring prospects and independent artists?\n\nA Denver Studio owner had former Sony leadership role was fully infected with Pegasus, Mirai and a Lazarus Group affiliation seen. An independent Denver publishing company and artists were greatly targeted and continue to be. A songwriter known to have recorded at Denver Studio had songs pirated. Tori Kelly and Justin Bieber recorded over chops copy written by artist. Strangely legally affiliated. A rumor suggests Lazarus group & Anonymous are hacker made up of government employees, police officers, attorneys and PI's. The government affiliated IP's are give rumors some weight. Hackers will hack anything, \nMost popular beliefs are artist was targeted and therefore the studio where she target worked from often. Denver Studio report scrubbed by HistoryKillerPro & other Unknown Stealers.", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T01:35:08.834000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667648f0bc130bdaa294ea19", "name": "Sony Music | Emotet - Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-06-22T03:45:52.401000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "66762a4ccb10185d774ddbde", "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f340f8c0223ae0ce199d", "name": "Bitdefender Ransomware| | Sony Music | Lazarus Affiliated", "description": "", "modified": "2024-07-22T01:04:09.406000", "created": "2024-07-01T00:07:28.402000", "tags": [ "url https", "url http", "active related", "pulses hostname", "ipv4", "showing", "entries", "active", "passive dns", "as2527 sony", "all scoreblue", "pulse pulses", "urls", "files", "reverse dns", "location chiba", "united", "unknown", "date", "moved", "search", "gmt content", "domain", "body", "encrypt", "as58061 scalaxy", "asn as58061", "dns resolutions", "expiration", "no expiration", "hostname", "iocs", "filehashsha256", "scan endpoints", "next", "report spam", "lazarus created", "minutes ago", "amber tags", "filehashsha1", "group", "tip oriented", "threat research", "android10", "type indicator", "role title", "creation date", "emails", "pulse submit", "url analysis", "germany unknown", "aaaa", "cname", "as209453 gandi", "as209453", "france unknown", "ireland unknown", "susp", "backdoor", "win32", "meta", "cookie", "pragma", "open ports", "as20940", "status", "certificate", "rsa sha256", "record value", "historical ssl", "referrer", "collection", "vt graph", "glaxosmithkline", "cyber threat", "heur", "phishing", "team", "malicious site", "control server", "coalition", "team phishing", "engineering", "emotet", "malware", "malicious", "download", "cobalt strike", "binder", "dropper", "formbook", "facebook", "artemis", "azorult", "bank", "site", "cisco umbrella", "alexa top", "million", "alexa", "hostnames", "detection list", "blacklist", "a domains", "bitdefender", "leader", "as15133 verizon", "melbourne it", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "headers date", "gmt contenttype", "connection", "ip address", "web redirection", "sha1", "ascii text", "sha256", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "pattern match", "hybrid", "starfield", "format", "june", "local", "click", "strings", "contact", "loki" ], "references": [ "https://otx.alienvault.com/indicator/url/http://accounts-upadates-informations-services-login-customer-id.marketingplus1.com/itunes", "Relationship: Louisiana Cyber Investigators Alliance (LCIA)", "https://otx.alienvault.com/indicator/url/http://dashboard.loki.com/files/LokiApplet.jar", "Ransomware: https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage", "Emotet: IPv4 104.18.41.100 | IPv4 104.18.45.108", "Server: Web redirection - http://loki.com/download", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: https://forms.sonymusicfans.com/campaign/jazmine-sullivan-heaux-tails-pre-save/", "Phishing: http://forms.sonymusicfans.com/campaign/old-dominion-newsletter-sign-up/?ss=0" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Win.Trojan.DarkKomet-1", "display_name": "Win.Trojan.DarkKomet-1", "target": null }, { "id": "VirTool:Win32/CeeInject", "display_name": "VirTool:Win32/CeeInject", "target": "/malware/VirTool:Win32/CeeInject" }, { "id": "Backdoor:MSIL/Bladabindi", "display_name": "Backdoor:MSIL/Bladabindi", "target": "/malware/Backdoor:MSIL/Bladabindi" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "Win32:Evo-gen\\ [Susp]", "display_name": "Win32:Evo-gen\\ [Susp]", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Entertainment", "Technology", "Media" ], "TLP": "green", "cloned_from": "667648f0bc130bdaa294ea19", "export_count": 6847, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3528, "domain": 1453, "hostname": 1542, "FileHash-SHA256": 757, "FileHash-SHA1": 66, "FileHash-MD5": 79, "email": 5, "CVE": 4, "SSLCertFingerprint": 14 }, "indicator_count": 7448, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "678 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.kyndryl.com/us/en", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.kyndryl.com/us/en", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780259160.0737803 }