{ "type": "URL", "indicator": "https://xqwmwru.top/admin/login.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://xqwmwru.top/admin/login.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4280856815, "indicator": "https://xqwmwru.top/admin/login.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69cd4a1d9132694a02d2fd1f", "name": "EbeeMar2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:38:53.145000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 96, "FileHash-SHA256": 173, "CVE": 14, "URL": 33, "domain": 108, "hostname": 62 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c666daa119abc0c96db147", "name": "Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware", "description": "Silver Fox, a China-based intrusion set active since early 2022, has notably transitioned from primarily financially motivated attacks to a dual strategy involving both advanced persistent threat (APT) operations and traditional cybercrime. This evolution reflects a broader trend observed in 2025, where the distinctions between financially driven cybercrime and state-sponsored espionage have become increasingly ambiguous.", "modified": "2026-04-26T11:03:33.153000", "created": "2026-03-27T11:15:38.580000", "tags": [ "silver fox", "taiwan", "valleyrat", "rmm tool", "south asia", "python stealer", "malaysia", "china", "holdinghands", "india", "winos", "indonesia", "gh0st rat", "blackmoon", "august", "telegram", "april", "virustotal", "february", "installer", "malware", "gh0st", "python", "ioc https", "archive" ], "references": [ "https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Government", "Education", "Critical_infrastructure", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 3, "domain": 37, "hostname": 8 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/", "IOCs.2026.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "Silver Fox" ], "malware_families": [], "industries": [ "Education", "Financial", "Critical_infrastructure", "Government", "Entertainment" ], "unique_indicators": 671 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/xqwmwru.top", "whois": "http://whois.domaintools.com/xqwmwru.top", "domain": "xqwmwru.top", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69cd4a1d9132694a02d2fd1f", "name": "EbeeMar2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:38:53.145000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Silver Fox, Powercat, BRUSHWORM and BRUSHLOGGER, Blank Grabber, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 123, "FileHash-SHA1": 96, "FileHash-SHA256": 173, "CVE": 14, "URL": 33, "domain": 108, "hostname": 62 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c666daa119abc0c96db147", "name": "Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware", "description": "Silver Fox, a China-based intrusion set active since early 2022, has notably transitioned from primarily financially motivated attacks to a dual strategy involving both advanced persistent threat (APT) operations and traditional cybercrime. This evolution reflects a broader trend observed in 2025, where the distinctions between financially driven cybercrime and state-sponsored espionage have become increasingly ambiguous.", "modified": "2026-04-26T11:03:33.153000", "created": "2026-03-27T11:15:38.580000", "tags": [ "silver fox", "taiwan", "valleyrat", "rmm tool", "south asia", "python stealer", "malaysia", "china", "holdinghands", "india", "winos", "indonesia", "gh0st rat", "blackmoon", "august", "telegram", "april", "virustotal", "february", "installer", "malware", "gh0st", "python", "ioc https", "archive" ], "references": [ "https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" } ], "industries": [ "Financial", "Government", "Education", "Critical_infrastructure", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 23, "URL": 3, "domain": 37, "hostname": 8 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://xqwmwru.top/admin/login.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://xqwmwru.top/admin/login.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780255391.5802038 }