{ "type": "URL", "indicator": "https://www.v5002.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.v5002.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3897859071, "indicator": "https://www.v5002.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "665f39b83296d4300d2fbc27", "name": "The Pumpkin Eclipse - Chalubo Malware", "description": "Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.", "modified": "2024-07-02T02:01:15.785000", "created": "2024-06-04T15:58:48.535000", "tags": [ "lua script", "soho" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": "665bd55fda9811d880ce059d", "export_count": 381, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "698 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665e97840f8ad7f721132044", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware, first identified in 2018, was used in a destructive attack on a single internet service provider in October 2023, Lumen Technologies\u2019 Black Lotus Labs has confirmed.", "modified": "2024-07-04T04:03:56.761000", "created": "2024-06-04T04:26:44.263000", "tags": [ "chalubo", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "black", "acidrain" ], "references": [ "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 6, "FileHash-SHA256": 28, "URL": 24, "domain": 9, "hostname": 7 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667a55dd17ebe58a413235bc", "name": "The Pumpkin Eclipse - Lumen", "description": "", "modified": "2024-07-04T04:03:56.761000", "created": "2024-06-25T05:30:05.559000", "tags": [ "chalubo", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "black", "acidrain" ], "references": [ "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": "665e97840f8ad7f721132044", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 6, "FileHash-SHA256": 28, "URL": 24, "domain": 9, "hostname": 7 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bd55fda9811d880ce059d", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware, first identified in 2018, was used in a destructive attack on a single internet service provider in October 2023, Lumen Technologies\u2019 Black Lotus Labs has confirmed.", "modified": "2024-07-02T02:01:15.785000", "created": "2024-06-02T02:13:51.492000", "tags": [ "path", "button", "span", "script", "link", "template", "header dropdown", "iconbutton", "product", "solutions", "form", "footer", "meta", "code", "enterprise", "reload", "close", "chalubo", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "october", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "november", "black", "next" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "698 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66599c3a86a366014dc0c734", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware family was used in a destructive attack on a single internet service provider in late October 2023, Lumen Technologies\u2019 Black Lotus Labs has revealed in an open-source report.", "modified": "2024-06-30T09:00:18.472000", "created": "2024-05-31T09:45:30.600000", "tags": [ "path", "button", "span", "script", "link", "template", "header dropdown", "iconbutton", "product", "solutions", "form", "footer", "meta", "code", "reload", "enterprise", "close", "chalubo", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "october", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "november", "black", "next", "acidrain" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "700 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.lumen.com/the-pumpkin-eclipse/", "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Chalubo" ], "industries": [], "unique_indicators": 185 }, "other": { "adversary": [], "malware_families": [ "Chalubo" ], "industries": [], "unique_indicators": 190 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/v5002.cn", "whois": "http://whois.domaintools.com/v5002.cn", "domain": "v5002.cn", "hostname": "www.v5002.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "665f39b83296d4300d2fbc27", "name": "The Pumpkin Eclipse - Chalubo Malware", "description": "Chalubo is a commodity remote access trojan (RAT). First identified in 2018, employed savvy tradecraft to obfuscate its activity; it removed all files from disk to run in-memory, assumed a random process name already present on the device, and encrypted all communications with the command and control (C2) server. Chalubo has payloads designed for all major SOHO/IoT kernels, pre-built functionality to perform DDoS attacks, and can execute any Lua script sent to the bot.", "modified": "2024-07-02T02:01:15.785000", "created": "2024-06-04T15:58:48.535000", "tags": [ "lua script", "soho" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": "665bd55fda9811d880ce059d", "export_count": 381, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "698 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665e97840f8ad7f721132044", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware, first identified in 2018, was used in a destructive attack on a single internet service provider in October 2023, Lumen Technologies\u2019 Black Lotus Labs has confirmed.", "modified": "2024-07-04T04:03:56.761000", "created": "2024-06-04T04:26:44.263000", "tags": [ "chalubo", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "black", "acidrain" ], "references": [ "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 6, "FileHash-SHA256": 28, "URL": 24, "domain": 9, "hostname": 7 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667a55dd17ebe58a413235bc", "name": "The Pumpkin Eclipse - Lumen", "description": "", "modified": "2024-07-04T04:03:56.761000", "created": "2024-06-25T05:30:05.559000", "tags": [ "chalubo", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "black", "acidrain" ], "references": [ "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": "665e97840f8ad7f721132044", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 6, "FileHash-SHA256": 28, "URL": 24, "domain": 9, "hostname": 7 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "696 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bd55fda9811d880ce059d", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware, first identified in 2018, was used in a destructive attack on a single internet service provider in October 2023, Lumen Technologies\u2019 Black Lotus Labs has confirmed.", "modified": "2024-07-02T02:01:15.785000", "created": "2024-06-02T02:13:51.492000", "tags": [ "path", "button", "span", "script", "link", "template", "header dropdown", "iconbutton", "product", "solutions", "form", "footer", "meta", "code", "enterprise", "reload", "close", "chalubo", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "october", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "november", "black", "next" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "698 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66599c3a86a366014dc0c734", "name": "The Pumpkin Eclipse - Lumen", "description": "The Chalubo malware family was used in a destructive attack on a single internet service provider in late October 2023, Lumen Technologies\u2019 Black Lotus Labs has revealed in an open-source report.", "modified": "2024-06-30T09:00:18.472000", "created": "2024-05-31T09:45:30.600000", "tags": [ "path", "button", "span", "script", "link", "template", "header dropdown", "iconbutton", "product", "solutions", "form", "footer", "meta", "code", "reload", "enterprise", "close", "chalubo", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "october", "chalubo malware", "ddos", "actiontec", "lumen", "lua script", "lotus labs", "soho", "november", "black", "next", "acidrain" ], "references": [ "https://github.com/blacklotuslabs/IOCs/blob/main/Pumpkin_Eclipse_IOCs.txt", "https://blog.lumen.com/the-pumpkin-eclipse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Chalubo", "display_name": "Chalubo", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 7, "FileHash-SHA256": 40, "URL": 27, "domain": 10, "hostname": 7 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "700 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.v5002.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.v5002.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780241618.0397189 }