{ "type": "URL", "indicator": "https://www.shipshorejob.com/ckeditor/samples/samples.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.shipshorejob.com/ckeditor/samples/samples.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3504488666, "indicator": "https://www.shipshorejob.com/ckeditor/samples/samples.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "62c550d6972c7cd04374c890", "name": "VSingle malware obtains C2 server information from GitHub", "description": "Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.", "modified": "2022-07-06T09:07:34.009000", "created": "2022-07-06T09:07:34.009000", "tags": [ "vsingle", "lazarus", "apt" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 393, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 3, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377580, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c4f11599a6f54979e9364c", "name": "VSingle malware that obtains C2 server information from GitHub - JPCERT/CC Eyes | JPCERT Coordination Center official Blog", "description": "The latest version of the VSingle malware, which was used by the Lazarus cyber-attack, retrieves data from C2 servers to access GitHub repositories, as shown in Figure 1 and Figure 2.", "modified": "2022-07-06T02:19:01.255000", "created": "2022-07-06T02:19:01.255000", "tags": [ "vsingle", "lazarus", "c2 server", "khtml", "gecko" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "related": { "alienvault": { "adversary": [ "Lazarus" ], "malware_families": [ "Vsingle" ], "industries": [], "unique_indicators": 21 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Vsingle" ], "industries": [], "unique_indicators": 22 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/shipshorejob.com", "whois": "http://whois.domaintools.com/shipshorejob.com", "domain": "shipshorejob.com", "hostname": "www.shipshorejob.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "62c550d6972c7cd04374c890", "name": "VSingle malware obtains C2 server information from GitHub", "description": "Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.", "modified": "2022-07-06T09:07:34.009000", "created": "2022-07-06T09:07:34.009000", "tags": [ "vsingle", "lazarus", "apt" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 393, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 3, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377580, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c4f11599a6f54979e9364c", "name": "VSingle malware that obtains C2 server information from GitHub - JPCERT/CC Eyes | JPCERT Coordination Center official Blog", "description": "The latest version of the VSingle malware, which was used by the Lazarus cyber-attack, retrieves data from C2 servers to access GitHub repositories, as shown in Figure 1 and Figure 2.", "modified": "2022-07-06T02:19:01.255000", "created": "2022-07-06T02:19:01.255000", "tags": [ "vsingle", "lazarus", "c2 server", "khtml", "gecko" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "VSingle", "display_name": "VSingle", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "URL": 11, "domain": 5, "hostname": 3 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.shipshorejob.com/ckeditor/samples/samples.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.shipshorejob.com/ckeditor/samples/samples.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776644030.8847656 }