{ "type": "URL", "indicator": "https://zoneflare.com/uipool.scr", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://zoneflare.com/uipool.scr", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3410370759, "indicator": "https://zoneflare.com/uipool.scr", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "62440b9f3387aac2e17267a6", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T07:49:51.026000", "tags": [ "transparent tribe", "crimsonrat", "india", "obliquerat", "afghanistan", "apt36", "mythic leopard", "apt" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "CrimsonRAT", "display_name": "CrimsonRAT", "target": null }, { "id": "ObliqueRAT", "display_name": "ObliqueRAT", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 297, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659072f784c47e7b812b36b5", "name": "APT36", "description": "AKA Transparent Tribe, ProjectM, Mythic Leopard, Earth Karkaddan, Copper Fieldstone, TMP.Lapis, C-Major.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-01-29T19:00:22.198000", "created": "2023-12-30T19:43:51.653000", "tags": [ "dem0", "pena", "whatsoevers3r" ], "references": [ "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "public": 1, "adversary": "APT-C-36", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:MSIL/CrimsonRAT", "display_name": "Trojan:MSIL/CrimsonRAT", "target": "/malware/Trojan:MSIL/CrimsonRAT" }, { "id": "Peppy - S0643", "display_name": "Peppy - S0643", "target": null }, { "id": "ObliqueRAT - S0644", "display_name": "ObliqueRAT - S0644", "target": null }, { "id": "DarkComet - S0334", "display_name": "DarkComet - S0334", "target": null }, { "id": "ALF:TrojanDownloader:MSIL/Njrat", "display_name": "ALF:TrojanDownloader:MSIL/Njrat", "target": null } ], "attack_ids": [ { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 87, "FileHash-SHA1": 86, "FileHash-SHA256": 136, "domain": 43, "hostname": 6 }, "indicator_count": 415, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "624ed65aa7fc09fc7a6a856a", "name": "Government Sector Cyber Threat Intel - Key Insights (March 2022)", "description": "In March, a Transparent Tribe campaign was found targeting the Indian government and military entities. The attacker was infecting victims with CrimsonRAT along with new stagers and implants. Further, the attackers created fake domains mimicking legitimate military and defense organizations.\n\nOther Major Incidents\nCybercriminals identified as Curious Gorge, Ghostwriter APT, and COLDRIVER were targeting NATO and Eastern European countries by launching phishing and malware attacks. Mustang Panda, UNC1151, and SCARAB were using war-related themes to target mostly Ukraine in a spear-phishing campaign. Hong Kong\u2019s electoral office apologized after an employee failed to follow guidelines and sent the personal details of voters to a random email address.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T12:17:30.675000", "tags": [ "dem0", "pena", "domains", "downloaders", "whatsoevers3r", "navy filename", "sha256", "spear phishing", "campaign rtf", "mshtml", "powershell", "crimsonrat", "Government Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 43, "URL": 22, "domain": 20, "hostname": 2 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6243f4013e477e7e5939336a", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T06:09:05.422000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62444385c0cc858e1335e4d7", "name": "Transparent Tribe - APT36 using new Bespoke Malware in Campaign", "description": "APT36 using bespoke Malware within their campaigns against Indian Government Officials", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T11:48:21.163000", "tags": [ "APT36", "TransparentTribe", "Mythic Leopard" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:Win32/CrimsonRat", "display_name": "Trojan:Win32/CrimsonRat", "target": "/malware/Trojan:Win32/CrimsonRat" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6242ff9b09c1a8965f943f00", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:46:19.259000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6243f0d43aecb45c5e8747ee", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-30T05:55:32.684000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": "624321a21f99c3f8abb47ebd", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1", "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major" ], "related": { "alienvault": { "adversary": [ "Transparent Tribe" ], "malware_families": [ "Obliquerat", "Crimsonrat" ], "industries": [ "Government", "Military" ], "unique_indicators": 104 }, "other": { "adversary": [ "Informational", "APT-C-36", "Transparent Tribe" ], "malware_families": [ "Alf:trojandownloader:msil/njrat", "Darkcomet - s0334", "Peppy - s0643", "Timeline", "Obliquerat - s0644", "Trojan:win32/crimsonrat", "Trojan:msil/crimsonrat" ], "industries": [ "Defense", "Government", "Military", "Education" ], "unique_indicators": 471 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/zoneflare.com", "whois": "http://whois.domaintools.com/zoneflare.com", "domain": "zoneflare.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "62440b9f3387aac2e17267a6", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T07:49:51.026000", "tags": [ "transparent tribe", "crimsonrat", "india", "obliquerat", "afghanistan", "apt36", "mythic leopard", "apt" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "CrimsonRAT", "display_name": "CrimsonRAT", "target": null }, { "id": "ObliqueRAT", "display_name": "ObliqueRAT", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 297, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386585, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "659072f784c47e7b812b36b5", "name": "APT36", "description": "AKA Transparent Tribe, ProjectM, Mythic Leopard, Earth Karkaddan, Copper Fieldstone, TMP.Lapis, C-Major.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-01-29T19:00:22.198000", "created": "2023-12-30T19:43:51.653000", "tags": [ "dem0", "pena", "whatsoevers3r" ], "references": [ "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "public": 1, "adversary": "APT-C-36", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:MSIL/CrimsonRAT", "display_name": "Trojan:MSIL/CrimsonRAT", "target": "/malware/Trojan:MSIL/CrimsonRAT" }, { "id": "Peppy - S0643", "display_name": "Peppy - S0643", "target": null }, { "id": "ObliqueRAT - S0644", "display_name": "ObliqueRAT - S0644", "target": null }, { "id": "DarkComet - S0334", "display_name": "DarkComet - S0334", "target": null }, { "id": "ALF:TrojanDownloader:MSIL/Njrat", "display_name": "ALF:TrojanDownloader:MSIL/Njrat", "target": null } ], "attack_ids": [ { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 87, "FileHash-SHA1": 86, "FileHash-SHA256": 136, "domain": 43, "hostname": 6 }, "indicator_count": 415, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "624ed65aa7fc09fc7a6a856a", "name": "Government Sector Cyber Threat Intel - Key Insights (March 2022)", "description": "In March, a Transparent Tribe campaign was found targeting the Indian government and military entities. The attacker was infecting victims with CrimsonRAT along with new stagers and implants. Further, the attackers created fake domains mimicking legitimate military and defense organizations.\n\nOther Major Incidents\nCybercriminals identified as Curious Gorge, Ghostwriter APT, and COLDRIVER were targeting NATO and Eastern European countries by launching phishing and malware attacks. Mustang Panda, UNC1151, and SCARAB were using war-related themes to target mostly Ukraine in a spear-phishing campaign. Hong Kong\u2019s electoral office apologized after an employee failed to follow guidelines and sent the personal details of voters to a random email address.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T12:17:30.675000", "tags": [ "dem0", "pena", "domains", "downloaders", "whatsoevers3r", "navy filename", "sha256", "spear phishing", "campaign rtf", "mshtml", "powershell", "crimsonrat", "Government Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 43, "URL": 22, "domain": 20, "hostname": 2 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6243f4013e477e7e5939336a", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T06:09:05.422000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62444385c0cc858e1335e4d7", "name": "Transparent Tribe - APT36 using new Bespoke Malware in Campaign", "description": "APT36 using bespoke Malware within their campaigns against Indian Government Officials", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T11:48:21.163000", "tags": [ "APT36", "TransparentTribe", "Mythic Leopard" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:Win32/CrimsonRat", "display_name": "Trojan:Win32/CrimsonRat", "target": "/malware/Trojan:Win32/CrimsonRat" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1493 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6242ff9b09c1a8965f943f00", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:46:19.259000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6243f0d43aecb45c5e8747ee", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-30T05:55:32.684000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": "624321a21f99c3f8abb47ebd", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://zoneflare.com/uipool.scr", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://zoneflare.com/uipool.scr", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780263640.5765417 }