{ "type": "Domain", "indicator": "internal.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/internal.com", "alexa": "http://www.alexa.com/siteinfo/internal.com", "indicator": "internal.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2904864406, "indicator": "internal.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a019872d2134a70b4d8a5bf", "name": "Inside a phishing panel", "description": "Security researchers gained direct access to Doko's Panel, a real-time phishing platform used in criminal campaigns by ShinyHunters and BlackFile groups. The investigation revealed four distinct infrastructure clusters operating independently customized variants of the tooling. Attacks combine voice phishing with adversary-in-the-middle techniques targeting enterprise identity providers like Okta, Microsoft, and Google, as well as cryptocurrency exchanges. Operators call victims impersonating IT helpdesk staff, directing them to combosquatted domains where credentials and MFA tokens are manually relayed in real-time. Confirmed breaches include SoundCloud (30M records), Match Group (10M records), Betterment (20M records), and Crunchbase. Over 400 domains have been identified linked to these operations. Evidence shows extensive use of AI language models in developing phishing infrastructure, with operators leveraging legitimate services to rapidly deploy and rotate attack infrastructure.", "modified": "2026-05-11T09:51:30.463000", "created": "2026-05-11T08:50:58.648000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386532, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552838, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02ae2646130ca477596d9b", "name": "Inside a phishing panel", "description": "", "modified": "2026-05-12T04:35:50.590000", "created": "2026-05-12T04:35:50.590000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": "6a019872d2134a70b4d8a5bf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ef4ad212dd34e79e44a76", "name": "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft", "description": "Mandiant has reported a significant uptick in activities by threat actors associated with the ShinyHunters brand, particularly focusing on sophisticated vishing techniques and the use of credential harvesting websites to infiltrate corporate environments. The primary objective of these operations is to gain access to sensitive corporate data, particularly from cloud-based software-as-a-service (SaaS) applications, which the threat actors subsequently exfiltrate for extortion purposes.\n\nThe threat group UNC6661 has been active from early to mid-January 2026, impersonating IT staff to manipulate employees into providing their single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. This was accomplished by directing victims to phishing sites that replicated the branding of their organizations. The phishing domains associated with UNC6661 typically followed a naming pattern such as http://companynamesso.com or http://companynameinternal.com, being registered with NICENIC.", "modified": "2026-03-03T06:01:35.612000", "created": "2026-02-01T06:37:33.496000", "tags": [ "unc6671", "unc6661", "iocs", "january", "it staff", "tucows", "okta customer", "mandiant", "powershell", "sharepoint", "threat intelligence" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "public": 1, "adversary": "Shinyhunters", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 6, "email": 2, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd3295fc94de0f28964891", "name": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety | Google Cloud Blog", "description": "A new report from security firm Mandiant shows that the group known as UNC3944 is increasingly targeting businesses in a range of industries, including hospitality, retail, media and entertainment, and extortion.", "modified": "2024-08-14T22:41:33.478000", "created": "2024-08-14T22:41:25.585000", "tags": [ "unc3944", "mandiant", "hashicorp vault", "microburst", "azure", "entra id", "nowhere", "up unc3944", "unc3944 use", "vault client", "meduza stealer", "vidar", "atomic", "service", "factory", "meduza", "alphv" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [ { "id": "Meduza", "display_name": "Meduza", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "www2.megawebfind.com [command_and_control]", "https://pushsecurity.com/blog/inside-criminal-phishing-panel", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto", "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/", "findbetterresults.com", "IOCs.csv", "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "related": { "alienvault": { "adversary": [ "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240" ], "malware_families": [], "industries": [ "Healthcare", "Hospitality", "Technology", "Education", "Aerospace", "Finance" ] }, "other": { "adversary": [ "Shinyhunters", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "Scattered Spider", "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240" ], "malware_families": [ "Vidar", "Agent tesla", "Ransomware", "Alphv", "Meduza" ], "industries": [ "Healthcare", "Hospitality", "Technology", "Education", "Aerospace", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a019872d2134a70b4d8a5bf", "name": "Inside a phishing panel", "description": "Security researchers gained direct access to Doko's Panel, a real-time phishing platform used in criminal campaigns by ShinyHunters and BlackFile groups. The investigation revealed four distinct infrastructure clusters operating independently customized variants of the tooling. Attacks combine voice phishing with adversary-in-the-middle techniques targeting enterprise identity providers like Okta, Microsoft, and Google, as well as cryptocurrency exchanges. Operators call victims impersonating IT helpdesk staff, directing them to combosquatted domains where credentials and MFA tokens are manually relayed in real-time. Confirmed breaches include SoundCloud (30M records), Match Group (10M records), Betterment (20M records), and Crunchbase. Over 400 domains have been identified linked to these operations. Evidence shows extensive use of AI language models in developing phishing infrastructure, with operators leveraging legitimate services to rapidly deploy and rotate attack infrastructure.", "modified": "2026-05-11T09:51:30.463000", "created": "2026-05-11T08:50:58.648000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386532, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552838, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02ae2646130ca477596d9b", "name": "Inside a phishing panel", "description": "", "modified": "2026-05-12T04:35:50.590000", "created": "2026-05-12T04:35:50.590000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": "6a019872d2134a70b4d8a5bf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ef4ad212dd34e79e44a76", "name": "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft", "description": "Mandiant has reported a significant uptick in activities by threat actors associated with the ShinyHunters brand, particularly focusing on sophisticated vishing techniques and the use of credential harvesting websites to infiltrate corporate environments. The primary objective of these operations is to gain access to sensitive corporate data, particularly from cloud-based software-as-a-service (SaaS) applications, which the threat actors subsequently exfiltrate for extortion purposes.\n\nThe threat group UNC6661 has been active from early to mid-January 2026, impersonating IT staff to manipulate employees into providing their single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. This was accomplished by directing victims to phishing sites that replicated the branding of their organizations. The phishing domains associated with UNC6661 typically followed a naming pattern such as http://companynamesso.com or http://companynameinternal.com, being registered with NICENIC.", "modified": "2026-03-03T06:01:35.612000", "created": "2026-02-01T06:37:33.496000", "tags": [ "unc6671", "unc6661", "iocs", "january", "it staff", "tucows", "okta customer", "mandiant", "powershell", "sharepoint", "threat intelligence" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/" ], "public": 1, "adversary": "Shinyhunters", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 6, "email": 2, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd3295fc94de0f28964891", "name": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety | Google Cloud Blog", "description": "A new report from security firm Mandiant shows that the group known as UNC3944 is increasingly targeting businesses in a range of industries, including hospitality, retail, media and entertainment, and extortion.", "modified": "2024-08-14T22:41:33.478000", "created": "2024-08-14T22:41:25.585000", "tags": [ "unc3944", "mandiant", "hashicorp vault", "microburst", "azure", "entra id", "nowhere", "up unc3944", "unc3944 use", "vault client", "meduza stealer", "vidar", "atomic", "service", "factory", "meduza", "alphv" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [ { "id": "Meduza", "display_name": "Meduza", "target": null }, { "id": "VIDAR", "display_name": "VIDAR", "target": null }, { "id": "ALPHV", "display_name": "ALPHV", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659331580cd1571f730b8de2", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.242000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659331589faf01b909c1802d", "name": "Agent Tesla | Spyware | Tracking Android & Apple users | Malware Attack", "description": "", "modified": "2024-01-31T14:03:30.344000", "created": "2024-01-01T21:40:40.413000", "tags": [ "maxads0", "kld1063", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls http", "ssl certificate", "whois record", "contacted", "referrer", "historical ssl", "march", "communicating", "copy", "january", "collections", "execution", "malware", "startpage", "malicious", "ransomware", "agent tesla", "attack", "android", "name verdict", "falcon sandbox", "reports", "falcon", "windir", "path", "programfiles", "pe32", "ms windows", "getprocaddress", "file type", "mitre att", "ck id", "show technique", "win64", "date", "open", "hybrid", "cookie", "tracking", "apple", "spyware", "malware", "tablet", "superwebbysearch", "hallrender", "pegasus", "briansabey", "aig", "abuse", "tulach" ], "references": [ "findbetterresults.com", "https://hybrid-analysis.com/sample/bba36b3ae7c49d1cffcc5f8e045d81e9307a2e1a86b923f89008e9377d171fb6", "https://www.virustotal.com/gui/url/eed406872c2e6ef550b948510fe0b7b4c71f752f58551c2f8e61d31a19d2a153/summary", "http://www.applerewards.website/pl/3/index.html?voluumdata=BASE64dmlkLi4wMDAwMDAwMi00NGFiLTQzNDktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjJhYWQzMDAwLWJiMzYtMTFlNi04YTYyLTBlYzcxZTllMDMzMV9fY2FpZC4uNjBhMjIwOWUtNWMzNC00OGQ4LWIyNDctYWM5YzVkOTM3MzZhX19ydC4uUl9fbGlkLi4yYTRjOTA4My0zY2RmLTQyNDktOGJmOS0yODMxZWYzNGRhYTlfX29pZDEuLjUwMGE4NDhjLTA2NGEtNDYyZi05MDNmLTgxYzY4ODNmODEwZl9fdmFyMS4uNjA4OTYxX192YXIyLi42NzEwMjhfX3JkLi5vbmNsaWNrYWRzXC5cbmV0X19haWQuLl9fYWIuLl9fc2lkLi4&zoneid=608961&campaignid=671028&visitor_id=4003954", "www2.megawebfind.com [command_and_control]", "https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= [command_and_control] stolec kradnie krypto" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2368, "FileHash-SHA256": 4539, "hostname": 2892, "URL": 9741, "FileHash-MD5": 836, "FileHash-SHA1": 461, "CVE": 1 }, "indicator_count": 20838, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "850 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "internal.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "error": "Expecting value: line 1 column 1 (char 0)", "indicator": "internal.com" }, "from_cache": true, "_cached_at": 1780234211.6702743 }