{ "type": "URL", "indicator": "https://www.updatee-facebok.com/sostener.vbs", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.updatee-facebok.com/sostener.vbs", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4013623397, "indicator": "https://www.updatee-facebok.com/sostener.vbs", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "682554f8cb8dd6dce4b839a7", "name": "Remcos extra", "description": "", "modified": "2025-12-25T20:49:21.712000", "created": "2025-05-15T02:44:08.231000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "domain": 296, "hostname": 1036, "URL": 1854, "CVE": 2 }, "indicator_count": 4394, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6860fc2386d1a2e841746fde", "name": "Tracing Blind Eagle to Proton66.", "description": "The cyber threat group known as Blind Eagle, or APT-C-36, is closely linked with the Russian bulletproof hosting company Proton66 and is actively targeting organizations in Latin America, particularly Colombian financial institutions. Recent investigations have unveiled a significant operational infrastructure used by this group, characterized by extensive interconnections among various domains and IP addresses. Their modus operandi primarily utilizes Visual Basic Script (VBS) files as the initial attack vector and incorporates free Dynamic DNS (DDNS) services to facilitate operation.", "modified": "2025-07-29T08:03:41.236000", "created": "2025-06-29T08:41:07.783000", "tags": [ "trustwave", "blind eagle", "dark web", "login", "demo", "proton66", "rats", "new technology", "sector research", "reveals rising", "test", "global", "tools", "june", "august", "defender", "powershell", "remcos", "asyncrat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [ "Financial", "Banks" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 139, "domain": 5, "hostname": 35, "FileHash-SHA256": 69 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "308 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Financial", "Banks" ], "unique_indicators": 317123 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/updatee-facebok.com", "whois": "http://whois.domaintools.com/updatee-facebok.com", "domain": "updatee-facebok.com", "hostname": "www.updatee-facebok.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "682554f8cb8dd6dce4b839a7", "name": "Remcos extra", "description": "", "modified": "2025-12-25T20:49:21.712000", "created": "2025-05-15T02:44:08.231000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1206, "domain": 296, "hostname": 1036, "URL": 1854, "CVE": 2 }, "indicator_count": 4394, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6860fc2386d1a2e841746fde", "name": "Tracing Blind Eagle to Proton66.", "description": "The cyber threat group known as Blind Eagle, or APT-C-36, is closely linked with the Russian bulletproof hosting company Proton66 and is actively targeting organizations in Latin America, particularly Colombian financial institutions. Recent investigations have unveiled a significant operational infrastructure used by this group, characterized by extensive interconnections among various domains and IP addresses. Their modus operandi primarily utilizes Visual Basic Script (VBS) files as the initial attack vector and incorporates free Dynamic DNS (DDNS) services to facilitate operation.", "modified": "2025-07-29T08:03:41.236000", "created": "2025-06-29T08:41:07.783000", "tags": [ "trustwave", "blind eagle", "dark web", "login", "demo", "proton66", "rats", "new technology", "sector research", "reveals rising", "test", "global", "tools", "june", "august", "defender", "powershell", "remcos", "asyncrat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tracing-blind-eagle-to-proton66/" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [ "Financial", "Banks" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 139, "domain": 5, "hostname": 35, "FileHash-SHA256": 69 }, "indicator_count": 248, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "308 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.updatee-facebok.com/sostener.vbs", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.updatee-facebok.com/sostener.vbs", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [], "date_added": "2024-12-17", "last_online": "", "reporter": "abus3reports", "host": "www.updatee-facebok.com", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780468502.9140048 }