{ "type": "Domain", "indicator": "infinityfreeapp.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/infinityfreeapp.com", "alexa": "http://www.alexa.com/siteinfo/infinityfreeapp.com", "indicator": "infinityfreeapp.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3666407186, "indicator": "infinityfreeapp.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6579b53c00375a2dcfaaf952", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "Researchers have uncovered a sophisticated Russian state-sponsored cyber-attack that leverages legitimate documents to deliver Headlace malware to victims of the Israel-Hamas conflict, primarily based in Europe.", "modified": "2025-09-26T12:33:49.381000", "created": "2023-12-13T13:44:27.660000", "tags": [ "itg05", "september", "ukraine", "azerbaijan", "israel", "razumkov centre", "belarus", "service", "winrar", "nishang", "graphite", "credomap", "gootloader", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 400, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 3 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6837c4d7ee9368a069a48ded", "name": "APT41: Innovative Tactics and Techniques in Cyber Espionage.", "description": "Persistent threat group APT41, known for its innovative tactics and multifaceted operations in cyber espionage. The article examines APT41's unique methodologies, highlighting their ability to pivot across sectors and geographies while employing a range of sophisticated techniques.", "modified": "2025-05-29T02:22:15.609000", "created": "2025-05-29T02:22:15.609000", "tags": [ "plusbed", "toughprogress", "gtig", "b8 b9", "ff d0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TOUGHPROGRESS", "display_name": "TOUGHPROGRESS", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "YARA": 1, "hostname": 21, "URL": 43, "domain": 4 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c6090b8d4b149e72aa3f31", "name": "Pawn Storm Uses Brute Force and Stealth Against High-Value Targets", "description": "Trend Vision One offers a comprehensive range of solutions for business, healthcare and other sectors, as well as the latest 5G network and cloud-native apps, to protect against cyber-attacks and threats.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:14:19.308000", "tags": [ "apt & targeted attacks", "research", "exploits & vulnerabilities", "phishing", "articles", "news", "reports", "learn", "pawn storm", "middle east", "edgeos", "europe", "ministry", "trend micro", "south america", "asia", "urls", "alliance", "april", "stop", "storm", "hybrid", "small", "protect", "carriers", "attack", "matrix", "shell", "august", "virustotal", "webdav", "next", "bank", "find", "indonesia", "information", "fernando" ], "references": [ "https://www.trendmicro.com/en_no/research/24/a/pawn-storm-uses-brute-force-and-stealth.html#:~:text=Based%20on%20our%20estimates%2C%20from,government%20departments%20that%20it%20targeted." ], "public": 1, "adversary": "Pawn Storm", "targeted_countries": [], "malware_families": [ { "id": "Fernando", "display_name": "Fernando", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Energy", "Defense", "Transportation", "Foreign Affairs", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 77, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659c88827d014b8ac6738dae", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi or Bluetooth | Malicious ", "description": "", "modified": "2024-02-07T23:03:25.817000", "created": "2024-01-08T23:42:58.409000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1448, "hostname": 3973, "email": 2, "URL": 10456, "FileHash-SHA256": 3308, "FileHash-MD5": 354, "FileHash-SHA1": 350, "CVE": 2 }, "indicator_count": 19893, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6585c1fbb01e2efe07097c81", "name": " ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "", "modified": "2023-12-22T17:06:03.020000", "created": "2023-12-22T17:06:03.020000", "tags": [ "nation-state attacks", "x-force", "ibm x-force research", "security intelligence & analytics", "security intelligence", "data security", "malware", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "65796f389815733da2b2bb91", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "893 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657ae05eb2f6cd248eae7bcf", "name": "Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign", "description": "The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.\n\nIBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.\n\n\"The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers,\" security researchers Golo M\u00fchr, Claire Zaboeva, and Joe Fasulo said.", "modified": "2023-12-14T11:00:46.240000", "created": "2023-12-14T11:00:46.240000", "tags": [ "malware", "x-force", "ibm x-force research", "nation-state attacks", "security intelligence", "security intelligence & analytics", "data security", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/", "https://thehackernews.com/2023/12/russian-apt28-hackers-targeting-13.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 328, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 440, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6579e0a24d6227b1f66c23c8", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malwar", "description": "", "modified": "2023-12-13T16:49:38.756000", "created": "2023-12-13T16:49:38.756000", "tags": [ "itg05", "september", "ukraine", "azerbaijan", "israel", "razumkov centre", "belarus", "service", "winrar", "nishang", "graphite", "credomap", "gootloader", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "6579b53c00375a2dcfaaf952", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65796f389815733da2b2bb91", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "IBM X-Force has uncovered a sophisticated Russian state-sponsored cyber-attack that leverages legitimate documents to deliver Headlace malware to victims of the Israel-Hamas conflict, primarily based in Europe.", "modified": "2023-12-13T08:45:44.647000", "created": "2023-12-13T08:45:44.647000", "tags": [ "nation-state attacks", "x-force", "ibm x-force research", "security intelligence & analytics", "security intelligence", "data security", "malware", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65796449e312061668a5aec0", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "", "modified": "2023-12-13T07:59:05.896000", "created": "2023-12-13T07:59:05.896000", "tags": [ "malware", "security intelligence & analytics", "data security", "security intelligence", "x-force", "ibm x-force research", "nation-state attacks", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "657881ca690a24eeff3b9ade", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657881ca690a24eeff3b9ade", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.\n\nIBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.\n\n\"The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers,\" security researchers Golo M\u00fchr, Claire Zaboeva, and Joe Fasulo said.\n\n\"ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign.\"", "modified": "2023-12-12T15:52:42.298000", "created": "2023-12-12T15:52:42.298000", "tags": [ "malware", "security intelligence & analytics", "data security", "security intelligence", "x-force", "ibm x-force research", "nation-state attacks", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 249, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643e7ec082e1b65ffb5a5765", "name": "Phishing Attack Activities: Threat Actors in Sheep\u2019s Clothing (ENG) - Malware News - Malware Analysis, News and Indicators", "description": "A report on phishing attacks carried out by SectorA groups, mainly targeted on South Korea, outlines the current status of the attacks, and how they affect the victims\u2019 personal and business interests.", "modified": "2023-04-18T11:28:00.685000", "created": "2023-04-18T11:28:00.685000", "tags": [ "sectora05", "sectora", "south korea", "naver", "figure", "united", "north korea", "google", "table", "tlds", "attack", "daum", "beware", "april", "main", "bitcoin" ], "references": [ "https://malware.news/t/phishing-attack-activities-threat-actors-in-sheep-s-clothing-eng/68805/1" ], "public": 1, "adversary": "SectorA05", "targeted_countries": [ "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Financial", "Technology", "Political", "Government", "Clothing" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1, "hostname": 10, "URL": 1, "domain": 6, "email": 1 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/", "https://thehackernews.com/2023/12/russian-apt28-hackers-targeting-13.html", "https://www.trendmicro.com/en_no/research/24/a/pawn-storm-uses-brute-force-and-stealth.html#:~:text=Based%20on%20our%20estimates%2C%20from,government%20departments%20that%20it%20targeted.", "https://labs.inquest.net/iocdb", "https://malware.news/t/phishing-attack-activities-threat-actors-in-sheep-s-clothing-eng/68805/1" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Gootloader", "Headlace", "Mocky api", "Wailingcrab", "Mocky" ], "industries": [ "Government", "Finance", "Diplomatic" ] }, "other": { "adversary": [ "Pawn Storm", "SectorA05" ], "malware_families": [ "Gootloader", "Headlace", "Headlace cmd", "Fernando", "Mocky api", ".cmd", "Wailingcrab", "Mocky", "Toughprogress" ], "industries": [ "Political", "Clothing", "Financial", "Finance", "Diplomatic", "Government", "Defense", "Transportation", "Technology", "Foreign affairs", "Energy", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6579b53c00375a2dcfaaf952", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "Researchers have uncovered a sophisticated Russian state-sponsored cyber-attack that leverages legitimate documents to deliver Headlace malware to victims of the Israel-Hamas conflict, primarily based in Europe.", "modified": "2025-09-26T12:33:49.381000", "created": "2023-12-13T13:44:27.660000", "tags": [ "itg05", "september", "ukraine", "azerbaijan", "israel", "razumkov centre", "belarus", "service", "winrar", "nishang", "graphite", "credomap", "gootloader", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 400, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 3 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 387121, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6837c4d7ee9368a069a48ded", "name": "APT41: Innovative Tactics and Techniques in Cyber Espionage.", "description": "Persistent threat group APT41, known for its innovative tactics and multifaceted operations in cyber espionage. The article examines APT41's unique methodologies, highlighting their ability to pivot across sectors and geographies while employing a range of sophisticated techniques.", "modified": "2025-05-29T02:22:15.609000", "created": "2025-05-29T02:22:15.609000", "tags": [ "plusbed", "toughprogress", "gtig", "b8 b9", "ff d0" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TOUGHPROGRESS", "display_name": "TOUGHPROGRESS", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "YARA": 1, "hostname": 21, "URL": 43, "domain": 4 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "370 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c6090b8d4b149e72aa3f31", "name": "Pawn Storm Uses Brute Force and Stealth Against High-Value Targets", "description": "Trend Vision One offers a comprehensive range of solutions for business, healthcare and other sectors, as well as the latest 5G network and cloud-native apps, to protect against cyber-attacks and threats.", "modified": "2024-03-10T11:05:48.248000", "created": "2024-02-09T11:14:19.308000", "tags": [ "apt & targeted attacks", "research", "exploits & vulnerabilities", "phishing", "articles", "news", "reports", "learn", "pawn storm", "middle east", "edgeos", "europe", "ministry", "trend micro", "south america", "asia", "urls", "alliance", "april", "stop", "storm", "hybrid", "small", "protect", "carriers", "attack", "matrix", "shell", "august", "virustotal", "webdav", "next", "bank", "find", "indonesia", "information", "fernando" ], "references": [ "https://www.trendmicro.com/en_no/research/24/a/pawn-storm-uses-brute-force-and-stealth.html#:~:text=Based%20on%20our%20estimates%2C%20from,government%20departments%20that%20it%20targeted." ], "public": 1, "adversary": "Pawn Storm", "targeted_countries": [], "malware_families": [ { "id": "Fernando", "display_name": "Fernando", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Energy", "Defense", "Transportation", "Foreign Affairs", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 77, "modified_text": "815 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659c88827d014b8ac6738dae", "name": "STRIVEN.COM | Remote videos to my device | Disabled WiFi or Bluetooth | Malicious ", "description": "", "modified": "2024-02-07T23:03:25.817000", "created": "2024-01-08T23:42:58.409000", "tags": [ "as21690", "united", "unknown", "search", "entries", "creation date", "scan endpoints", "all search", "otx octoseek", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d65255c80d866add600bac", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1448, "hostname": 3973, "email": 2, "URL": 10456, "FileHash-SHA256": 3308, "FileHash-MD5": 354, "FileHash-SHA1": 350, "CVE": 2 }, "indicator_count": 19893, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "846 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6585c1fbb01e2efe07097c81", "name": " ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "", "modified": "2023-12-22T17:06:03.020000", "created": "2023-12-22T17:06:03.020000", "tags": [ "nation-state attacks", "x-force", "ibm x-force research", "security intelligence & analytics", "security intelligence", "data security", "malware", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "65796f389815733da2b2bb91", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "893 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657ae05eb2f6cd248eae7bcf", "name": "Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign", "description": "The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.\n\nIBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.\n\n\"The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers,\" security researchers Golo M\u00fchr, Claire Zaboeva, and Joe Fasulo said.", "modified": "2023-12-14T11:00:46.240000", "created": "2023-12-14T11:00:46.240000", "tags": [ "malware", "x-force", "ibm x-force research", "nation-state attacks", "security intelligence", "security intelligence & analytics", "data security", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/", "https://thehackernews.com/2023/12/russian-apt28-hackers-targeting-13.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 328, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 440, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6579e0a24d6227b1f66c23c8", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malwar", "description": "", "modified": "2023-12-13T16:49:38.756000", "created": "2023-12-13T16:49:38.756000", "tags": [ "itg05", "september", "ukraine", "azerbaijan", "israel", "razumkov centre", "belarus", "service", "winrar", "nishang", "graphite", "credomap", "gootloader", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "6579b53c00375a2dcfaaf952", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 54, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65796f389815733da2b2bb91", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "IBM X-Force has uncovered a sophisticated Russian state-sponsored cyber-attack that leverages legitimate documents to deliver Headlace malware to victims of the Israel-Hamas conflict, primarily based in Europe.", "modified": "2023-12-13T08:45:44.647000", "created": "2023-12-13T08:45:44.647000", "tags": [ "nation-state attacks", "x-force", "ibm x-force research", "security intelligence & analytics", "security intelligence", "data security", "malware", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65796449e312061668a5aec0", "name": "ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware", "description": "", "modified": "2023-12-13T07:59:05.896000", "created": "2023-12-13T07:59:05.896000", "tags": [ "malware", "security intelligence & analytics", "data security", "security intelligence", "x-force", "ibm x-force research", "nation-state attacks", "itg05", "headlace", "september", "ukraine", "united", "republic", "december", "azerbaijan", "israel", "razumkov centre", "xforce", "bank", "belarus", "scroll", "service", "later", "august", "winrar", "mission", "main", "nishang", "graphite", "credomap", "install", "mocky api", ".cmd", "gootloader", "headlace cmd", "wailingcrab", "mocky" ], "references": [ "https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Hungary", "Poland", "Belgium", "Germany", "Azerbaijan", "Saudi Arabia", "Kazakhstan", "Australia", "Italy", "Latvia", "Romania", "Austria", "Israel", "Russian Federation", "United States of America" ], "malware_families": [ { "id": "Mocky API", "display_name": "Mocky API", "target": null }, { "id": ".CMD", "display_name": ".CMD", "target": null }, { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "Headlace CMD", "display_name": "Headlace CMD", "target": null }, { "id": "WailingCrab", "display_name": "WailingCrab", "target": null }, { "id": "Mocky", "display_name": "Mocky", "target": null }, { "id": "Headlace", "display_name": "Headlace", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Government", "Diplomatic" ], "TLP": "white", "cloned_from": "657881ca690a24eeff3b9ade", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 36, "URL": 13, "domain": 2, "hostname": 4 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "903 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "infinityfreeapp.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "infinityfreeapp.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780499240.984031 }