{ "type": "Domain", "indicator": "internxtvpn.pro", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/internxtvpn.pro", "alexa": "http://www.alexa.com/siteinfo/internxtvpn.pro", "indicator": "internxtvpn.pro", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4017708389, "indicator": "internxtvpn.pro", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67911c6446b0ab9591b82cad", "name": "Targeted supply chain attack against Chrome browser extensions", "description": "In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.", "modified": "2025-02-21T16:00:53.144000", "created": "2025-01-22T16:27:16.545000", "tags": [ "supply chain", "credentials", "phishing", "data harvesting", "browser extensions" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 57, "email": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386498, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682edf92b2fa4361f01cadbc", "name": "CyberhavenCampaign", "description": "The following is a full list of results from the 2015 World Economic Forum in Davos, Switzerland:-1 July 2016.. and the other parts of the world, which had previously been dominated by Facebook, Twitter and Facebook.", "modified": "2025-06-21T08:00:15.130000", "created": "2025-05-22T08:25:54.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e57df4eaaa694ee986beeb", "name": "Cyberhaven Breach-related long term campaign cluster - January 2025", "description": "On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer\u2019s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.\n\nhttps://dti.domaintools.com/cyberhaven-breach-likely-part-of-a-long-term-criminal-campaign/", "modified": "2025-04-26T16:04:17.817000", "created": "2025-03-27T16:33:56.678000", "tags": [ "supply chain", "chatgpt", "facebook business manager", "meta" ], "references": [ "https://dti.domaintools.com/cyberhaven-breach-likely-part-of-a-long-term-criminal-campaign/", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "icampbell", "id": "308595", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308595/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4201ac174a03171235ef", "name": "Targeted supply chain attack against Chrome browser extensions - Sekoia.io Blog", "description": "A security firm, Sekoia, has uncovered a supply chain attack against Chrome browser extensions, which it believes may have been carried out since at least 2023 and possibly even earlier, according to its analysis.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:58:09.517000", "tags": [ "chrome", "december", "chrome web", "store", "c2 server", "cyberhaven", "chatgpt", "urls", "post request", "chrome browser", "facebook", "phishing", "requires", "john", "stealc", "vidar", "raccoon" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 63, "email": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762fc1041a0f096f0057ea3", "name": "Unknown malware", "description": "threatfox", "modified": "2025-02-05T19:02:40.239000", "created": "2024-12-18T16:45:04.660000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberskink", "id": "302878", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "domain": 66, "hostname": 49, "URL": 93, "FileHash-SHA256": 2 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6772b33cc3f08da9baa9f1c0", "name": "Secure Annex - Enterprise Browser Extension Security & Management Platform", "description": "On December 26th, 2024, Cyberhaven sent out an email to their users informing them that their extension had been compromised after an administrator account pushed a new update with malicious code to the Chrome web store. As users investigated the incident, it was discovered that more extensions had been compromised in the same way. This is a live blog post as more is learned about the incident and attack.", "modified": "2024-12-30T14:50:36.053000", "created": "2024-12-30T14:50:36.053000", "tags": [ "browser extension security", "annex", "compromise", "secure annex" ], "references": [ "https://secureannex.com/blog/cyberhaven-extension-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "z_ack000", "id": "287486", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "domain": 5 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "516 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676f41812e14d678eb089bbd", "name": "Twitter Feed - cstanley - 27-12-2024", "description": "", "modified": "2024-12-28T00:08:27.777000", "created": "2024-12-28T00:08:27.777000", "tags": [], "references": [ "https://x.com/cstanley/status/1872435377799352648" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 13, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "519 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign", "https://threatfox.abuse.ch/export/csv/recent/", "https://x.com/cstanley/status/1872435377799352648", "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions", "https://secureannex.com/blog/cyberhaven-extension-compromise/", "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/", "https://dti.domaintools.com/cyberhaven-breach-likely-part-of-a-long-term-criminal-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Advertising", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67911c6446b0ab9591b82cad", "name": "Targeted supply chain attack against Chrome browser extensions", "description": "In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.", "modified": "2025-02-21T16:00:53.144000", "created": "2025-01-22T16:27:16.545000", "tags": [ "supply chain", "credentials", "phishing", "data harvesting", "browser extensions" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 57, "email": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386498, "modified_text": "463 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682edf92b2fa4361f01cadbc", "name": "CyberhavenCampaign", "description": "The following is a full list of results from the 2015 World Economic Forum in Davos, Switzerland:-1 July 2016.. and the other parts of the world, which had previously been dominated by Facebook, Twitter and Facebook.", "modified": "2025-06-21T08:00:15.130000", "created": "2025-05-22T08:25:54.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e57df4eaaa694ee986beeb", "name": "Cyberhaven Breach-related long term campaign cluster - January 2025", "description": "On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer\u2019s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.\n\nhttps://dti.domaintools.com/cyberhaven-breach-likely-part-of-a-long-term-criminal-campaign/", "modified": "2025-04-26T16:04:17.817000", "created": "2025-03-27T16:33:56.678000", "tags": [ "supply chain", "chatgpt", "facebook business manager", "meta" ], "references": [ "https://dti.domaintools.com/cyberhaven-breach-likely-part-of-a-long-term-criminal-campaign/", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/CyberhavenCampaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Advertising" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "icampbell", "id": "308595", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308595/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4201ac174a03171235ef", "name": "Targeted supply chain attack against Chrome browser extensions - Sekoia.io Blog", "description": "A security firm, Sekoia, has uncovered a supply chain attack against Chrome browser extensions, which it believes may have been carried out since at least 2023 and possibly even earlier, according to its analysis.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:58:09.517000", "tags": [ "chrome", "december", "chrome web", "store", "c2 server", "cyberhaven", "chatgpt", "urls", "post request", "chrome browser", "facebook", "phishing", "requires", "john", "stealc", "vidar", "raccoon" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 63, "email": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "456 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762fc1041a0f096f0057ea3", "name": "Unknown malware", "description": "threatfox", "modified": "2025-02-05T19:02:40.239000", "created": "2024-12-18T16:45:04.660000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberskink", "id": "302878", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "domain": 66, "hostname": 49, "URL": 93, "FileHash-SHA256": 2 }, "indicator_count": 216, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6772b33cc3f08da9baa9f1c0", "name": "Secure Annex - Enterprise Browser Extension Security & Management Platform", "description": "On December 26th, 2024, Cyberhaven sent out an email to their users informing them that their extension had been compromised after an administrator account pushed a new update with malicious code to the Chrome web store. As users investigated the incident, it was discovered that more extensions had been compromised in the same way. This is a live blog post as more is learned about the incident and attack.", "modified": "2024-12-30T14:50:36.053000", "created": "2024-12-30T14:50:36.053000", "tags": [ "browser extension security", "annex", "compromise", "secure annex" ], "references": [ "https://secureannex.com/blog/cyberhaven-extension-compromise/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "z_ack000", "id": "287486", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "domain": 5 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "516 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676f41812e14d678eb089bbd", "name": "Twitter Feed - cstanley - 27-12-2024", "description": "", "modified": "2024-12-28T00:08:27.777000", "created": "2024-12-28T00:08:27.777000", "tags": [], "references": [ "https://x.com/cstanley/status/1872435377799352648" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 13, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "519 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "internxtvpn.pro", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "internxtvpn.pro", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214882.0194302 }