{ "type": "Domain", "indicator": "influenceimmo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/influenceimmo.com", "alexa": "http://www.alexa.com/siteinfo/influenceimmo.com", "indicator": "influenceimmo.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4146268273, "indicator": "influenceimmo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation", "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu" ], "malware_families": [ "Gootloader", "Cobalt strike", "Oysterloader", "Gootloader jscript" ], "industries": [ "Financial", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6916a9fe746743e69478d360", "name": "EbeeNov2025 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-14T03:00:57.826000", "created": "2025-11-14T04:03:10.501000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20179805 cve" ], "references": [], "public": 1, "adversary": "LANDFALL, GootLoader, EndClient RAT, God RAT, Infrastructure aurologic GmbHUNK, RondoBox, Fantasy Hu", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 207, "FileHash-SHA1": 174, "FileHash-SHA256": 237, "domain": 153, "URL": 85, "CVE": 5, "hostname": 39 }, "indicator_count": 900, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690f3c5dc4e3987d08cb8055", "name": "GootLoader New Evasion Methods Target Search Driven Workflows", "description": "GootLoader, operated by the threat group UNC2565 (also known as Storm-0494), has resurfaced with advanced techniques to exploit search-driven workflows. This malware loader is central to a sophisticated Access-as-a-Service platform that facilitates initial access for ransomware affiliates, including Vanilla Tempest, and leverages SEO poisoning to attract users searching for business document templates. A notable attack technique involves the use of a dual-personality ZIP archive. This archive is engineered to deceive security sandboxes by appearing harmless while extracting a malicious .js file for human users. Upon execution, usually triggered by the user double-clicking the JScript file, the payload launches through Windows Script Host, specifically WScript.exe or CScript.exe, which in turn invokes PowerShell to retrieve subsequent malicious payloads.", "modified": "2025-12-08T12:03:02.393000", "created": "2025-11-08T12:49:33.537000", "tags": [ "phishing", "malware", "zip", "initial access loader", "gootloader", "ip archive evasion", "powershell", "unc2565", "wordpress", "windows script", "gootbot", "cobalt strike", "startup", "storm0494", "gootkit", "loader", "rhysida", "blackcat", "zeppelin", "score", "python", "global", "execution", "evolution", "gootloader jscript", "hostnames", "ipv4", "hashes", "sha256" ], "references": [ "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "GootLoader JScript", "display_name": "GootLoader JScript", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Legal", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "176 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690ca8f2a871ffdf54c2795f", "name": "Gootloader Returns: What Goodies Did They Bring?", "description": "Gootloader, a JavaScript-based malware loader, has resurfaced with renewed activity after a brief hiatus. This malware is primarily used by the threat actor known as Storm-0494 to gain initial access, often leveraging SEO poisoning to attract users to compromised sites. Gootloader employs heavily obfuscated JavaScript to deliver additional payloads and is known for facilitating infections that lead to the deployment of various ransomware families, such as Rhysida, BlackCat, Zeppelin, and Quantum Locker through another actor, Vanilla Tempest.\n\nOne of the novel techniques used in recent Gootloader operations includes the incorporation of custom WOFF2 fonts, which employ glyph substitution to obscure filenames. The loader exploits WordPress comment submission endpoints to deliver XOR-encrypted ZIP files containing payloads, with a unique decryption key hardcoded in the site\u2019s source code.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T13:56:02.390000", "tags": [ "gootloader", "javascript file", "supper backdoor", "c2 server", "vanilla tempest", "powershell", "case", "sha256", "javascript", "windows", "path", "blackcat", "zeppelin", "download", "back", "supper socks5", "oysterloader", "section).the", "supper", "huntress" ], "references": [ "https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gootloader", "display_name": "Gootloader", "target": null }, { "id": "OysterLoader", "display_name": "OysterLoader", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "FileHash-SHA256": 10, "domain": 55, "hostname": 13 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "influenceimmo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "influenceimmo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780418870.954109 }