{ "type": "Domain", "indicator": "intelmeserver.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/intelmeserver.com", "alexa": "http://www.alexa.com/siteinfo/intelmeserver.com", "indicator": "intelmeserver.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1072751, "indicator": "intelmeserver.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "581225550ab09a3af35ae12b", "name": "Sednit Downloader DOWNDELPH", "description": "The Sednit group\u2014variously also known as APT28, Fancy Bear, Sofacy, Pawn Storm, STRONTIUM and Tsar Team\u2014is a group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets. Over the past two years, this group\u2019s activity has increased significantly, with numerous attacks against government departments and embassies all over the world. Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde [3]. Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics", "modified": "2017-03-06T17:12:24.348000", "created": "2016-10-27T16:03:33.284000", "tags": [ "apt28", "sofacy", "sednit", "DOWNDELPH", "eset" ], "references": [ "https://github.com/eset/malware-ioc/blob/master/sednit/part3.adoc" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "United States", "Germany", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "government" ], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA1": 14, "IPv4": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 376763, "modified_text": "3326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2aeda9208d878d08ad72e", "name": "Sednit reloaded: Back in the trenches", "description": "Sednit, also known as APT28 or Fancy Bear, has made a notable return with a sophisticated toolkit incorporating dual implants, BeardShell and Covenant, aimed primarily at Ukrainian military personnel. The revived operations show a strong linkage to the group's past techniques and codebases, particularly highlighting the reemergence of their advanced implant team since April 2024.", "modified": "2026-04-11T14:27:21.810000", "created": "2026-03-12T12:17:30.703000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" ], "public": 1, "adversary": "APT28", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Military" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 10, "FileHash-SHA1": 105, "FileHash-MD5": 1 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/", "APT 30.yar", "Energetic Bear.yar", "Dark Hotel.yar", "Gorgon Group.yar", "APT 1.yar", "APT 19.yar", "APT 29.yar", "APT 10.yar", "APT 21.yar", "https://github.com/eset/malware-ioc/blob/master/sednit/part3.adoc", "Equation Group.yar", "Winnti.yar", "APT 28.yar" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [ "Government" ] }, "other": { "adversary": [ "APT28" ], "malware_families": [], "industries": [ "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "581225550ab09a3af35ae12b", "name": "Sednit Downloader DOWNDELPH", "description": "The Sednit group\u2014variously also known as APT28, Fancy Bear, Sofacy, Pawn Storm, STRONTIUM and Tsar Team\u2014is a group of attackers operating since 2004 if not earlier, whose main objective is to steal confidential information from specific targets. Over the past two years, this group\u2019s activity has increased significantly, with numerous attacks against government departments and embassies all over the world. Among their most notable presumed targets are the American Democratic National Committee, the German parliament and the French television network TV5Monde [3]. Moreover, the Sednit group has a special interest in Eastern Europe, where it regularly targets individuals and organizations involved in geopolitics", "modified": "2017-03-06T17:12:24.348000", "created": "2016-10-27T16:03:33.284000", "tags": [ "apt28", "sofacy", "sednit", "DOWNDELPH", "eset" ], "references": [ "https://github.com/eset/malware-ioc/blob/master/sednit/part3.adoc" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "United States", "Germany", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "government" ], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA1": 14, "IPv4": 2 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 376763, "modified_text": "3326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b2aeda9208d878d08ad72e", "name": "Sednit reloaded: Back in the trenches", "description": "Sednit, also known as APT28 or Fancy Bear, has made a notable return with a sophisticated toolkit incorporating dual implants, BeardShell and Covenant, aimed primarily at Ukrainian military personnel. The revived operations show a strong linkage to the group's past techniques and codebases, particularly highlighting the reemergence of their advanced implant team since April 2024.", "modified": "2026-04-11T14:27:21.810000", "created": "2026-03-12T12:17:30.703000", "tags": [], "references": [ "https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/" ], "public": 1, "adversary": "APT28", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" } ], "industries": [ "Military" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "hostname": 10, "FileHash-SHA1": 105, "FileHash-MD5": 1 }, "indicator_count": 174, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "860 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "intelmeserver.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "intelmeserver.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776222907.796928 }