{ "type": "Domain", "indicator": "in2pay.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/in2pay.com", "alexa": "http://www.alexa.com/siteinfo/in2pay.com", "indicator": "in2pay.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4071947575, "indicator": "in2pay.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "690b1b175f4f05eaf8f6c0e0", "name": "CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE", "description": "The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.", "modified": "2025-12-05T09:00:38.044000", "created": "2025-11-05T09:38:31.645000", "tags": [ "cve-2025-61882", "cve-2023-0669", "cyclops blink", "cryptomix", "infrastructure", "oracle ebs", "cve-2023-34362", "ransomware", "fingerprints", "ip addresses", "network analysis" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "Clop", "targeted_countries": [ "Germany", "Brazil", "Panama", "Russian Federation", "Netherlands", "United States of America", "Canada" ], "malware_families": [ { "id": "Cyclops Blink - S0687", "display_name": "Cyclops Blink - S0687", "target": null }, { "id": "CryptoMix", "display_name": "CryptoMix", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology", "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 387167, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690cab125d637500bd002d48", "name": "CLOP RANSOMWARE: DISSECTING NETWORK", "description": "Clop ransomware, operating since early 2019, has infiltrated a range of corporate and private networks, with estimated extortion profits exceeding $500 million. Originating from a group believed to be based in Russia, Clop avoids targeting Commonwealth of Independent States (CIS) countries. This ransomware variant is considered a successor to CryptoMix ransomware, which emerged in 2016. A notable technical aspect of Clop's operations includes the exploitation of vulnerabilities such as CVE-2025-61882, an Oracle E-Business Suite zero-day exploit that came to light in June 2025. This specific attack method underscores Clop's sophisticated approach to leveraging emerging CVEs for network infiltration. Analysis of Clop's network reveals a trend in IP usage, with Germany, Brazil, Panama, and Hong Kong being prominent sources. Out of 96 identified IPs associated with Clop, 41 subnet IPs have been reused, indicating a systematic approach to infrastructure.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T14:05:06.749000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "suite", "june", "path", "cryptomix" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Lebanon", "Iran, Islamic Republic of", "Azerbaijan" ], "malware_families": [ { "id": "CryptoMix", "display_name": "CryptoMix", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 12, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 547, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690981f1bb64d70b9843c1d6", "name": "CLOP RANSOMWARE: DISSECTING NETWORK: THE RAVEN FILE", "description": "Found strong indicators of Clop Ransomware which had been used in 2023 Exploits by the Group!\n\nIn-depth analysis of Clop (cl0p) ransomware\u2019s current network infrastructure, mapping 96 IPs across 20+ countries. Reveals 77.8% subnet reuse, persistent C2 fingerprints from 2023 MOVEit attacks, and active exploitation of Oracle EBS zero-day (CVE-2025-61882). Includes high-confidence IOCs, leak domains, and defender guidance.", "modified": "2025-12-04T04:04:50.506000", "created": "2025-11-04T04:32:49.244000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "facebook", "ransomware", "zeroday", "0day", "darkweb" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/", "Nov.Week1.pdf" ], "related": { "alienvault": { "adversary": [ "Clop" ], "malware_families": [ "Cyclops blink - s0687", "Cryptomix" ], "industries": [ "Government", "Technology", "Finance" ] }, "other": { "adversary": [ "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter" ], "malware_families": [ "Cryptomix", "Clop" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "690b1b175f4f05eaf8f6c0e0", "name": "CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE", "description": "The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.", "modified": "2025-12-05T09:00:38.044000", "created": "2025-11-05T09:38:31.645000", "tags": [ "cve-2025-61882", "cve-2023-0669", "cyclops blink", "cryptomix", "infrastructure", "oracle ebs", "cve-2023-34362", "ransomware", "fingerprints", "ip addresses", "network analysis" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "Clop", "targeted_countries": [ "Germany", "Brazil", "Panama", "Russian Federation", "Netherlands", "United States of America", "Canada" ], "malware_families": [ { "id": "Cyclops Blink - S0687", "display_name": "Cyclops Blink - S0687", "target": null }, { "id": "CryptoMix", "display_name": "CryptoMix", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology", "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 387167, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690cab125d637500bd002d48", "name": "CLOP RANSOMWARE: DISSECTING NETWORK", "description": "Clop ransomware, operating since early 2019, has infiltrated a range of corporate and private networks, with estimated extortion profits exceeding $500 million. Originating from a group believed to be based in Russia, Clop avoids targeting Commonwealth of Independent States (CIS) countries. This ransomware variant is considered a successor to CryptoMix ransomware, which emerged in 2016. A notable technical aspect of Clop's operations includes the exploitation of vulnerabilities such as CVE-2025-61882, an Oracle E-Business Suite zero-day exploit that came to light in June 2025. This specific attack method underscores Clop's sophisticated approach to leveraging emerging CVEs for network infiltration. Analysis of Clop's network reveals a trend in IP usage, with Germany, Brazil, Panama, and Hong Kong being prominent sources. Out of 96 identified IPs associated with Clop, 41 subnet IPs have been reused, indicating a systematic approach to infrastructure.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T14:05:06.749000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "suite", "june", "path", "cryptomix" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Lebanon", "Iran, Islamic Republic of", "Azerbaijan" ], "malware_families": [ { "id": "CryptoMix", "display_name": "CryptoMix", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 12, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 547, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690981f1bb64d70b9843c1d6", "name": "CLOP RANSOMWARE: DISSECTING NETWORK: THE RAVEN FILE", "description": "Found strong indicators of Clop Ransomware which had been used in 2023 Exploits by the Group!\n\nIn-depth analysis of Clop (cl0p) ransomware\u2019s current network infrastructure, mapping 96 IPs across 20+ countries. Reveals 77.8% subnet reuse, persistent C2 fingerprints from 2023 MOVEit attacks, and active exploitation of Oracle EBS zero-day (CVE-2025-61882). Includes high-confidence IOCs, leak domains, and defender guidance.", "modified": "2025-12-04T04:04:50.506000", "created": "2025-11-04T04:32:49.244000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "facebook", "ransomware", "zeroday", "0day", "darkweb" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "in2pay.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "in2pay.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780512478.3565643 }