{ "type": "URL", "indicator": "https://www.par.pl/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.par.pl/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3980214765, "indicator": "https://www.par.pl/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6768cd2fdfe372564f3b3345", "name": "Jane Doe is Targeted by DragonForce.io", "description": "Apple has released details of a virus that can be traced to a server in the US, but which has not yet been identified or detected.. and the full list of details has been revealed.", "modified": "2025-02-21T00:58:00.403000", "created": "2024-12-23T02:38:39.269000", "tags": [ "summary", "engine version", "mb data", "start date", "movies", "pictures", "export", "ipv6s", "importcsv", "psobject", "filehashwl", "notin", "select", "date", "write" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 166, "hostname": 34, "FileHash-SHA256": 143, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 401, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b2748046b400a75722958a", "name": "OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.", "description": "Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.", "modified": "2025-02-21T00:57:29.372000", "created": "2025-02-16T23:28:00.763000", "tags": [ "downloads music", "desktop library", "movies public", "hostname", "cves", "emails", "convertt", "filehashesepo", "display", "bash", "term", "path", "shell", "date", "license", "dyldlibrarypath", "apache software", "foundation", "notice file", "apache license", "version", "unless", "as is", "basis", "usrsbinkadmin l", "heimdal", "btmm hash", "s gmtnever", "kerberos", "logger", "force", "mit emulation", "bad option", "certhash", "movies", "music", "bluetool mktemp", "getfileinfo", "ioaccelmemory", "iosdebug", "rez mountcd9660", "mountftp", "bpinstall", "importcsv", "re resmerger", "select", "define", "http", "filehash", "open", "Aishah Siti Lazim", "194 Green Street", "Aishah Lazim", "LGBTQ Hate Attack", "Anti-semitic", "DragonForce Malaysia", "dragonforce.io", "synthetic identity theft", "computer intrusion act", "illegal surveillance", "noncivilian citizens", "havana syndrome", "electromagnetic radiation" ], "references": [ "envvars", "kadmin.local", "Info.plist", "metadata.json", "/var/log/install.log", "/var/log/install.log", "/var/log/asl", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America", "Israel", "Bahrain", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Government", "NGO", "Media", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 116, "URL": 93, "domain": 11, "hostname": 45 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ef33ee4a7c08f8865721b3", "name": "The Jane Doe Syndrome: NetBIOs Remote Access & Sonic Warfare", "description": "An array of malicious malware, scripts, and techniques that are copycats to Apple Scripts and undetectable by anti-virus software programs. The malicious scripts such as NetBIOS and DNS spoofing can provide remote access to hackers, enabling them to gain full control and administrative privileges over Apple Inc. MacBooks. These vulnerabilities allow perpetrators to exploit system weaknesses, leading to full remote unauthorized data access, theft of sensitive information, and manipulation of system settings.", "modified": "2024-09-28T16:38:05.097000", "created": "2024-09-21T21:00:30.148000", "tags": [ "Aishah Lazim", "Malaysia", "Russia", "China", "Al-Arqam", "GUANGZHOU FIVE SIX TECHNOLOGY CO" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 6, "hostname": 14, "URL": 52, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "609 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "metadata.json", "/var/log/asl", "envvars", "Info.plist", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "kadmin.local", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", "/var/log/install.log" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "DragonForce Malaysia" ], "malware_families": [ "" ], "industries": [ "Government", "Media", "Ngo", "Education" ], "unique_indicators": 380 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/par.pl", "whois": "http://whois.domaintools.com/par.pl", "domain": "par.pl", "hostname": "www.par.pl" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6768cd2fdfe372564f3b3345", "name": "Jane Doe is Targeted by DragonForce.io", "description": "Apple has released details of a virus that can be traced to a server in the US, but which has not yet been identified or detected.. and the full list of details has been revealed.", "modified": "2025-02-21T00:58:00.403000", "created": "2024-12-23T02:38:39.269000", "tags": [ "summary", "engine version", "mb data", "start date", "movies", "pictures", "export", "ipv6s", "importcsv", "psobject", "filehashwl", "notin", "select", "date", "write" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "URL": 166, "hostname": 34, "FileHash-SHA256": 143, "FileHash-MD5": 20, "FileHash-SHA1": 20 }, "indicator_count": 401, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b2748046b400a75722958a", "name": "OpsBedil: MacOS Software Post-Installation Exploitation, Apple Inc.", "description": "Threat actors affiliated with DragonForce Malaysia, Lazarus Group, etc. exploit unauthorized nodes during MacOS software installations to gain persistence, exfiltrate data, and escalate privileges. Techniques observed include T1003 (Credential Dumping) to harvest keychain data, T1020 (Automated Exfiltration) over T1071 (Application Layer Protocol), and T1027 (Obfuscation) to conceal payloads. Persistence is achieved via T1053 (Scheduled Tasks) and T1543 (System Process Creation). Lateral movement is supported by T1046 (Network Discovery) and T1055 (Process Injection). Valid credentials (T1078) and remote services (T1133) enable long-term access. Proxy use (T1090) and tunneling (T1572) evade detection. Attackers hijack resources (T1496) and may deploy T1498 (DoS). Monitoring for unsigned installations, abnormal processes, and unusual traffic can detect this activity. Validating software sources and restricting network egress is recommended.", "modified": "2025-02-21T00:57:29.372000", "created": "2025-02-16T23:28:00.763000", "tags": [ "downloads music", "desktop library", "movies public", "hostname", "cves", "emails", "convertt", "filehashesepo", "display", "bash", "term", "path", "shell", "date", "license", "dyldlibrarypath", "apache software", "foundation", "notice file", "apache license", "version", "unless", "as is", "basis", "usrsbinkadmin l", "heimdal", "btmm hash", "s gmtnever", "kerberos", "logger", "force", "mit emulation", "bad option", "certhash", "movies", "music", "bluetool mktemp", "getfileinfo", "ioaccelmemory", "iosdebug", "rez mountcd9660", "mountftp", "bpinstall", "importcsv", "re resmerger", "select", "define", "http", "filehash", "open", "Aishah Siti Lazim", "194 Green Street", "Aishah Lazim", "LGBTQ Hate Attack", "Anti-semitic", "DragonForce Malaysia", "dragonforce.io", "synthetic identity theft", "computer intrusion act", "illegal surveillance", "noncivilian citizens", "havana syndrome", "electromagnetic radiation" ], "references": [ "envvars", "kadmin.local", "Info.plist", "metadata.json", "/var/log/install.log", "/var/log/install.log", "/var/log/asl", "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", "/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/accessoryupdaterd", "" ], "public": 1, "adversary": "DragonForce Malaysia", "targeted_countries": [ "United States of America", "Israel", "Bahrain", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Government", "NGO", "Media", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 8, "FileHash-SHA1": 10, "FileHash-SHA256": 116, "URL": 93, "domain": 11, "hostname": 45 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ef33ee4a7c08f8865721b3", "name": "The Jane Doe Syndrome: NetBIOs Remote Access & Sonic Warfare", "description": "An array of malicious malware, scripts, and techniques that are copycats to Apple Scripts and undetectable by anti-virus software programs. The malicious scripts such as NetBIOS and DNS spoofing can provide remote access to hackers, enabling them to gain full control and administrative privileges over Apple Inc. MacBooks. These vulnerabilities allow perpetrators to exploit system weaknesses, leading to full remote unauthorized data access, theft of sensitive information, and manipulation of system settings.", "modified": "2024-09-28T16:38:05.097000", "created": "2024-09-21T21:00:30.148000", "tags": [ "Aishah Lazim", "Malaysia", "Russia", "China", "Al-Arqam", "GUANGZHOU FIVE SIX TECHNOLOGY CO" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ravescoutllc.", "id": "288912", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "domain": 6, "hostname": 14, "URL": 52, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "609 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.par.pl/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.par.pl/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212771.703859 }