{ "type": "URL", "indicator": "https://www.letmespellmoons.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.letmespellmoons.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4059382974, "indicator": "https://www.letmespellmoons.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "68075360a020c6b0f4bf3a56", "name": "Hackers Exploit Russian Bulletproof Host Proton66 for Global Cyberattacks", "description": "Cybersecurity researchers have uncovered a surge in mass scanning, credential brute-forcing, and exploitation attempts originating from IP addresses associated with the Russian bulletproof hosting service provider Proton66. Since January 8, 2025, these attacks have targeted organizations worldwide, deploying various malware families, including GootLoader and SpyNote. The malicious activity involves exploiting critical vulnerabilities in widely used systems, posing a significant threat to global cybersecurity.", "modified": "2025-05-22T08:02:33.885000", "created": "2025-04-22T08:29:20.493000", "tags": [ "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "proton66", "prospero", "kaspersky", "strelastealer", "russian", "gootloader", "spynote", "superblack", "xworm", "weaxor", "mallox" ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" ], "public": 1, "adversary": "Prospero", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "StrelaStealer", "display_name": "StrelaStealer", "target": null }, { "id": "WeaXor", "display_name": "WeaXor", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "CVE": 5, "domain": 50, "URL": 42, "FileHash-SHA256": 6, "hostname": 2 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "377 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Prospero" ], "malware_families": [ "Xworm", "Weaxor", "Strelastealer" ], "industries": [], "unique_indicators": 111 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/letmespellmoons.com", "whois": "http://whois.domaintools.com/letmespellmoons.com", "domain": "letmespellmoons.com", "hostname": "www.letmespellmoons.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "68075360a020c6b0f4bf3a56", "name": "Hackers Exploit Russian Bulletproof Host Proton66 for Global Cyberattacks", "description": "Cybersecurity researchers have uncovered a surge in mass scanning, credential brute-forcing, and exploitation attempts originating from IP addresses associated with the Russian bulletproof hosting service provider Proton66. Since January 8, 2025, these attacks have targeted organizations worldwide, deploying various malware families, including GootLoader and SpyNote. The malicious activity involves exploiting critical vulnerabilities in widely used systems, posing a significant threat to global cybersecurity.", "modified": "2025-05-22T08:02:33.885000", "created": "2025-04-22T08:29:20.493000", "tags": [ "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "proton66", "prospero", "kaspersky", "strelastealer", "russian", "gootloader", "spynote", "superblack", "xworm", "weaxor", "mallox" ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" ], "public": 1, "adversary": "Prospero", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "StrelaStealer", "display_name": "StrelaStealer", "target": null }, { "id": "WeaXor", "display_name": "WeaXor", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "CVE": 5, "domain": 50, "URL": 42, "FileHash-SHA256": 6, "hostname": 2 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "377 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.letmespellmoons.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.letmespellmoons.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780525511.4231572 }