{ "type": "URL", "indicator": "https://www.welivesecurity.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.welivesecurity.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain welivesecurity.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain welivesecurity.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3953962201, "indicator": "https://www.welivesecurity.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69d3553a6a951fc038ecfdbf", "name": "cloning so mine dont go missing clone arek-btc credit Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX CREATED 10 MONTHS AGO MODIFIED 9 MONTHS AGO by Arek-BTC", "description": "", "modified": "2026-04-06T06:43:36.386000", "created": "2026-04-06T06:39:54.842000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "684143b86c3aa6bb874c7673", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 4, "URL": 17, "email": 3, "hostname": 5, "FileHash-MD5": 64, "FileHash-SHA1": 20, "FileHash-SHA256": 68, "domain": 15, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dd1d39730a3a1e6651f12a", "name": "Id=35146f05-9aac-4942-a42d-f2550a19c0c4 SimpleDriverUpdaterSetup_ppc2.exe", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-09-01T07:52:18.567000", "created": "2025-03-21T08:03:05.867000", "tags": [ "vhash", "authentihash", "rich pe", "ssdeep", "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "writefile", "readfile", "isbadreadptr", "setfilepointer", "inquest labs", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "nsis", "nsis integrity", "check function", "a9 f0", "ff ff", "be ad", "user" ], "references": [ "dl.simplestar.com/utils/SimpleDriverUpdaterSetup_ppc2.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "SSLCertFingerprint": 1, "YARA": 3, "URL": 4, "CVE": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684143b86c3aa6bb874c7673", "name": "Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-07-05T07:02:43.264000", "created": "2025-06-05T07:13:58.467000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 3, "URL": 13, "email": 3, "hostname": 3, "FileHash-MD5": 57, "FileHash-SHA1": 15, "FileHash-SHA256": 42, "domain": 15 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6848abe614a0beed622c296f", "name": "GitHub - eset/malware-ioc: Indicators of Compromises (IOC) of our various investigations", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-06-10T23:46:26.444000", "created": "2025-06-10T22:04:22.511000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "vhash", "imphash", "rich pe", "ssdeep", "andns4 tlsh", "compromises", "sign", "github", "appearance", "github advanced", "view", "search", "notifications", "branches tags", "code issues", "find", "star", "malware", "stars", "python", "footer", "forks", "sha256", "authentihash" ], "references": [ "https://github.com/eset/malware-ioc", "http://github.com/eset/malware-ioc", "https://opengraph.githubassets.com/9a4bf2f82d0ee5e77dd0d3323e0cb6f04cf21121f95b738b49ecc35a4f57a55d/eset/malware-ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Forks", "display_name": "Forks", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 1, "email": 1, "URL": 6, "hostname": 2, "FileHash-SHA256": 31, "FileHash-MD5": 15, "FileHash-SHA1": 8 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://opengraph.githubassets.com/9a4bf2f82d0ee5e77dd0d3323e0cb6f04cf21121f95b738b49ecc35a4f57a55d/eset/malware-ioc", "https://github.com/eset/malware-ioc", "http://dlvr.it/Sn3dHM", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "dl.simplestar.com/utils/SimpleDriverUpdaterSetup_ppc2.exe", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "http://github.com/eset/malware-ioc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Lazarus" ], "malware_families": [ "Iconicloader", "Windows", "Tabla 1", "Simplextea", "Figura", "Linux", "Forks", "Badcall", "Odicloader", "Upload" ], "industries": [ "Government", "Telecommunications", "Education", "Healthcare" ], "unique_indicators": 21544 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/welivesecurity.com", "whois": "http://whois.domaintools.com/welivesecurity.com", "domain": "welivesecurity.com", "hostname": "www.welivesecurity.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69d3553a6a951fc038ecfdbf", "name": "cloning so mine dont go missing clone arek-btc credit Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX CREATED 10 MONTHS AGO MODIFIED 9 MONTHS AGO by Arek-BTC", "description": "", "modified": "2026-04-06T06:43:36.386000", "created": "2026-04-06T06:39:54.842000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "684143b86c3aa6bb874c7673", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 4, "URL": 17, "email": 3, "hostname": 5, "FileHash-MD5": 64, "FileHash-SHA1": 20, "FileHash-SHA256": 68, "domain": 15, "CVE": 1, "SSLCertFingerprint": 1 }, "indicator_count": 198, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dd1d39730a3a1e6651f12a", "name": "Id=35146f05-9aac-4942-a42d-f2550a19c0c4 SimpleDriverUpdaterSetup_ppc2.exe", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-09-01T07:52:18.567000", "created": "2025-03-21T08:03:05.867000", "tags": [ "vhash", "authentihash", "rich pe", "ssdeep", "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "writefile", "readfile", "isbadreadptr", "setfilepointer", "inquest labs", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "nsis", "nsis integrity", "check function", "a9 f0", "ff ff", "be ad", "user" ], "references": [ "dl.simplestar.com/utils/SimpleDriverUpdaterSetup_ppc2.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "SSLCertFingerprint": 1, "YARA": 3, "URL": 4, "CVE": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "272 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684143b86c3aa6bb874c7673", "name": "Malware para Linux vincula a Lazarus con el ataque a la cadena de suministro de 3CX", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-07-05T07:02:43.264000", "created": "2025-06-05T07:13:58.467000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "emotet payload", "f8 b9", "emotet", "c0 c3", "c0 c7", "c3 b8", "ce e8", "cf e8", "f3 ff", "dc ff", "sha256", "vhash", "rich pe", "ssdeep", "aaaa", "document file", "v2 document", "crlf line", "unicode text", "utf8", "rgba", "ms windows", "vista event", "file v2", "document", "defender", "linux", "lazarus", "simplextea", "figura", "strong", "badcall", "virustotal", "opendrive", "windows", "c server", "corea", "gopuram", "iconicstealer", "crisis", "malware", "coldcat", "danabot", "lumma stealer", "updateagent", "twitter", "taxhaul", "como", "first", "phishing", "execution", "este", "odicloader", "upload", "iconicloader", "tabla 1" ], "references": [ "http://dlvr.it/Sn3dHM" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Upload", "display_name": "Upload", "target": null }, { "id": "IconicLoader", "display_name": "IconicLoader", "target": null }, { "id": "Tabla 1", "display_name": "Tabla 1", "target": null }, { "id": "BADCALL", "display_name": "BADCALL", "target": null }, { "id": "SimplexTea", "display_name": "SimplexTea", "target": null }, { "id": "Figura", "display_name": "Figura", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 3, "URL": 13, "email": 3, "hostname": 3, "FileHash-MD5": 57, "FileHash-SHA1": 15, "FileHash-SHA256": 42, "domain": 15 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "330 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6848abe614a0beed622c296f", "name": "GitHub - eset/malware-ioc: Indicators of Compromises (IOC) of our various investigations", "description": "The code for the Yara malware has been released under the two-clause BSD 2-Clause license by ESet, the software developer and developer of the security software for Windows.", "modified": "2025-06-10T23:46:26.444000", "created": "2025-06-10T22:04:22.511000", "tags": [ "this software", "including", "but not", "limited to", "copyright", "eset", "redistribution", "is provided", "by the", "as is", "direct", "damage", "vhash", "imphash", "rich pe", "ssdeep", "andns4 tlsh", "compromises", "sign", "github", "appearance", "github advanced", "view", "search", "notifications", "branches tags", "code issues", "find", "star", "malware", "stars", "python", "footer", "forks", "sha256", "authentihash" ], "references": [ "https://github.com/eset/malware-ioc", "http://github.com/eset/malware-ioc", "https://opengraph.githubassets.com/9a4bf2f82d0ee5e77dd0d3323e0cb6f04cf21121f95b738b49ecc35a4f57a55d/eset/malware-ioc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Forks", "display_name": "Forks", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 1, "email": 1, "URL": 6, "hostname": 2, "FileHash-SHA256": 31, "FileHash-MD5": 15, "FileHash-SHA1": 8 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.welivesecurity.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.welivesecurity.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780258091.3984616 }