{ "type": "URL", "indicator": "https://zoom.web11eu.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://zoom.web11eu.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4237406218, "indicator": "https://zoom.web11eu.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69eae966e2994ca9410416e7", "name": "CAPE Sandbox - Watson", "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.", "modified": "2026-05-24T05:16:16.520000", "created": "2026-04-24T03:54:14.835000", "tags": [ "akamai", "city", "noc united", "orgid", "akamai ref", "net23", "net230000", "cidr", "orgabusehandle", "orgtechhandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 382, "FileHash-SHA1": 361, "FileHash-SHA256": 1250, "URL": 1436, "domain": 425, "hostname": 783, "CIDR": 1, "email": 29, "CVE": 1, "URI": 2 }, "indicator_count": 4670, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a6af51ef1d4e16047644bd", "name": "Crazy Evil / OBS \u2014 Crypto Fraud Network \u2014 40+ Phishing Domains, StealC, AMOS", "description": "Active organized cybercrime infrastructure operated by the OBS branch of \"Crazy Evil\" (Russian-speaking traffer team, active since 2021, $5M+ stolen). C2 dashboard at obs.casino manages 17 phishing projects across 40+ domains. Distributes StealC (Windows) and AMOS (macOS). Tools: Crazy Drainer (Solana), Ledger Loader, keylogger, AI voice generator. Ref: Recorded Future Jan 2025.", "modified": "2026-04-02T09:08:24.412000", "created": "2026-03-03T09:52:15.054000", "tags": [ "crazy evil", "crypto", "fraud network", "active", "threat actor", "malware", "stealc", "windows", "amos", "crazy drainer", "internal", "OBS", "infostealer", "phishing", "wallet-drainer", "cryptocurrency" ], "references": [], "public": 1, "adversary": "Crazy Evil", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Atomic macOS Stealer", "display_name": "Atomic macOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Cryptocurrency", "Financial Services", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "night0xhat", "id": "386644", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_386644/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "domain": 26, "hostname": 11 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Crazy Evil" ], "malware_families": [ "Amos", "Stealc", "Atomic macos stealer" ], "industries": [ "Technology", "Financial services", "Cryptocurrency" ], "unique_indicators": 2956 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/web11eu.com", "whois": "http://whois.domaintools.com/web11eu.com", "domain": "web11eu.com", "hostname": "zoom.web11eu.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69eae966e2994ca9410416e7", "name": "CAPE Sandbox - Watson", "description": "[full list of details about Akamai, the web hosting company, that has been abused on the internet for more than 20 years.. and the names of its users have been published.] pretext. Watson frequents. wizard8.", "modified": "2026-05-24T05:16:16.520000", "created": "2026-04-24T03:54:14.835000", "tags": [ "akamai", "city", "noc united", "orgid", "akamai ref", "net23", "net230000", "cidr", "orgabusehandle", "orgtechhandle" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 382, "FileHash-SHA1": 361, "FileHash-SHA256": 1250, "URL": 1436, "domain": 425, "hostname": 783, "CIDR": 1, "email": 29, "CVE": 1, "URI": 2 }, "indicator_count": 4670, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a6af51ef1d4e16047644bd", "name": "Crazy Evil / OBS \u2014 Crypto Fraud Network \u2014 40+ Phishing Domains, StealC, AMOS", "description": "Active organized cybercrime infrastructure operated by the OBS branch of \"Crazy Evil\" (Russian-speaking traffer team, active since 2021, $5M+ stolen). C2 dashboard at obs.casino manages 17 phishing projects across 40+ domains. Distributes StealC (Windows) and AMOS (macOS). Tools: Crazy Drainer (Solana), Ledger Loader, keylogger, AI voice generator. Ref: Recorded Future Jan 2025.", "modified": "2026-04-02T09:08:24.412000", "created": "2026-03-03T09:52:15.054000", "tags": [ "crazy evil", "crypto", "fraud network", "active", "threat actor", "malware", "stealc", "windows", "amos", "crazy drainer", "internal", "OBS", "infostealer", "phishing", "wallet-drainer", "cryptocurrency" ], "references": [], "public": 1, "adversary": "Crazy Evil", "targeted_countries": [], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Atomic macOS Stealer", "display_name": "Atomic macOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Cryptocurrency", "Financial Services", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "night0xhat", "id": "386644", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_386644/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "domain": 26, "hostname": 11 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://zoom.web11eu.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://zoom.web11eu.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780212351.9507215 }