{ "type": "URL", "indicator": "https://www.pdflibr.com/AS212283", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.pdflibr.com/AS212283", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4125239408, "indicator": "https://www.pdflibr.com/AS212283", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68b333946d662330bd8d45d9", "name": "VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attack.", "description": "Between June and July 2025, a series of coordinated brute force and password spraying attacks were orchestrated from a group of Ukrainian networks, including FDN3, VAIZ, and E-RISHENNYA, alongside a Seychelles-based network known as TK-NET. FDN3, attributed to FOP Dmytro Nedilskyi and identified as AS211736, was particularly active, targeting SSL VPN and RDP devices and executing hundreds of thousands of such attacks over spans of up to three days. The malicious infrastructure exploited shared IPv4 prefixes among itself and its affiliated networks to bypass blocklists, indicating a sophisticated evasive strategy likely managed by a common administrator.", "modified": "2025-09-29T17:01:07.026000", "created": "2025-08-30T17:23:32.274000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be5c2e972874afe87ac04b", "name": "A nebula of Ukrainian networks engaged in brute force and password spraying", "description": "", "modified": "2025-09-29T17:01:07.026000", "created": "2025-09-08T04:31:42.645000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": "68b333946d662330bd8d45d9", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 122 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/pdflibr.com", "whois": "http://whois.domaintools.com/pdflibr.com", "domain": "pdflibr.com", "hostname": "www.pdflibr.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68b333946d662330bd8d45d9", "name": "VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attack.", "description": "Between June and July 2025, a series of coordinated brute force and password spraying attacks were orchestrated from a group of Ukrainian networks, including FDN3, VAIZ, and E-RISHENNYA, alongside a Seychelles-based network known as TK-NET. FDN3, attributed to FOP Dmytro Nedilskyi and identified as AS211736, was particularly active, targeting SSL VPN and RDP devices and executing hundreds of thousands of such attacks over spans of up to three days. The malicious infrastructure exploited shared IPv4 prefixes among itself and its affiliated networks to bypass blocklists, indicating a sophisticated evasive strategy likely managed by a common administrator.", "modified": "2025-09-29T17:01:07.026000", "created": "2025-08-30T17:23:32.274000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68be5c2e972874afe87ac04b", "name": "A nebula of Ukrainian networks engaged in brute force and password spraying", "description": "", "modified": "2025-09-29T17:01:07.026000", "created": "2025-09-08T04:31:42.645000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-20250828-VAIZ-FDN3-TK-NET-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "green", "cloned_from": "68b333946d662330bd8d45d9", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "CIDR": 16, "FileHash-MD5": 1, "domain": 8, "email": 1, "hostname": 4 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.pdflibr.com/AS212283", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.pdflibr.com/AS212283", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780345842.0930886 }