{ "type": "URL", "indicator": "https://zhblz.com/zJ2w9x", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://zhblz.com/zJ2w9x", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4274483064, "indicator": "https://zhblz.com/zJ2w9x", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd14fbf899edc8d95414be", "name": "FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops", "description": "The reported findings on FancyBear, a Russian Advanced Persistent Threat (APT), detail a significant operational security lapse in a campaign known as Operation Roundish. This analysis stemmed from an open directory exposed in January 2026, revealing extensive data including over 2,800 emails and 240 sets of stolen credentials. The exfiltration methods used by FancyBear included creating forwarding rules in victims\u2019 email accounts, enabling silent capture and redirection of emails to attacker-controlled mailboxes.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:35:55.851000", "tags": [ "fancybear", "roundcube", "certua", "totp", "ip address", "september", "c2 log", "ctrlaltintel", "c2 server", "squirrelmail", "ukraine", "window", "sednit", "august", "february", "metasploit", "loop", "zimbra", "error", "impact", "proton", "phishing", "powershell", "interception", "capture", "blizzard", "albania", "roundcube xss", "scripttaker.js", "squirrelmail xss", "xss" ], "references": [ "https://ctrlaltintel.com/threat%20research/FancyBear/" ], "public": 1, "adversary": "Fancy_bear", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Education", "Telecommunications", "Healthcare", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 8, "domain": 21, "email": 1, "hostname": 8 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://ctrlaltintel.com/threat%20research/FancyBear/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Fancy_bear", "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana" ], "malware_families": [], "industries": [ "Government", "Healthcare", "Energy", "Education", "Telecommunications" ], "unique_indicators": 981 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/zhblz.com", "whois": "http://whois.domaintools.com/zhblz.com", "domain": "zhblz.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd14fbf899edc8d95414be", "name": "FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops", "description": "The reported findings on FancyBear, a Russian Advanced Persistent Threat (APT), detail a significant operational security lapse in a campaign known as Operation Roundish. This analysis stemmed from an open directory exposed in January 2026, revealing extensive data including over 2,800 emails and 240 sets of stolen credentials. The exfiltration methods used by FancyBear included creating forwarding rules in victims\u2019 email accounts, enabling silent capture and redirection of emails to attacker-controlled mailboxes.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:35:55.851000", "tags": [ "fancybear", "roundcube", "certua", "totp", "ip address", "september", "c2 log", "ctrlaltintel", "c2 server", "squirrelmail", "ukraine", "window", "sednit", "august", "february", "metasploit", "loop", "zimbra", "error", "impact", "proton", "phishing", "powershell", "interception", "capture", "blizzard", "albania", "roundcube xss", "scripttaker.js", "squirrelmail xss", "xss" ], "references": [ "https://ctrlaltintel.com/threat%20research/FancyBear/" ], "public": 1, "adversary": "Fancy_bear", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Government", "Education", "Telecommunications", "Healthcare", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 8, "domain": 21, "email": 1, "hostname": 8 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://zhblz.com/zJ2w9x", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://zhblz.com/zJ2w9x", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780226308.1707838 }